HTB —Mango Machine
Walk through of HackTheBox Mango Machine 10.10.10.162
A little about me: I’m a Jr Pentester in Toronto CA. #2 HTB rank in Canada, Rank ~60 on RingZeroCTF. I’m in love CTF’s and & HTB. Hope you enjoy my write up.
What you will learn from this box:
- NoSQL injections
- Abusing the jjs command-line tool
We’ll start with enumeration, I like to use the Legion tool to speed up this process and make sure I haven’t overlooked anything.
From our scan we now know that this box has OpenSSH 7.6, and Apache 2.4.29 on ports 80, and 443. In addition, thanks to our nmap scan we see that there exists another “hostname” so lets add it to our hosts file.
Now lets visit the staging-order.mango.htb webpage, and we’re greeted with a login page.
So before even starting the box I already assumed that I might be dealing with MongoDB which uses noSQL due to the machine name. So lets start playing around with burp suite. We’re going to attempt noSQL injections and we can refer to PayloadsAllTheThings for some help.
Using Burp Suite web proxy we have intercepted the login request and changed the POST username and password to username[$ne]= and password[$ne]= respectively. Where $ne is the MongoDB query operator “not equal to”. Basically we will match the first username that matches ‘Boschko’ with a password that is not equal to null, allowing us to authenticate to the application without providing a valid user nor password.
So since we aren't able to authenticate with the admin user even with a null password and the same exploit as above we do know that the application is vulnerable to noSQL injections. We can therefore attempt to gather a list of passwords and usernames from the database.
Since I’m too lazy to make my own code ill use THIS gentlemen code to bruteforce the user and password.
As seen from the output below we obtaine the folowing credentials:
- mango:h3mXK8RhU~f{]f5H
- admin:t9KcS3>!0B#2
With those credential we’ll actually discover some very dirty credential reuse, as the mango user credentials work over SSH. The admin password doesnt work for SSH but it works for the su command.
Lets quickly grab the user flag and move onto privilege escalation!
So lets import LinPEAS to see what type of privilege escalation method will approach.
As it turns out checking for SUID privilege escalation returned the following:
with linPEAS when something is highlighted in yellow like that it means that the probabilities of privilege escalation via this vector are almost guaranteed. So lets go to GTFO bins to figure out how we could go about using jjs. There’s a lot of things we can do but all we really want to do here is read the root flag.
So lets go ahead and get out flag!
However, for the sake of completion lets also obtain a shell as root. We can accomplish this by breaking out of the interactive shell, and upload our public key to the machines authorized.keys.
So we’ll “break out” of the shell by adding the admin to the admin group in doing so we’re permitting ourselves to execute commands as root so once that done we’ll run sudo -i to “log-out” and back in for the chances to be noticeable.
Now for some pretty bad persistence upload your ssh keys :)
The End.
My Hack The Box:
My Website: https://olivierlaflamme.github.io/
My GitHub: https://github.com/OlivierLaflamme
My WeChat QR below:
