Hack The Box – Mango Writeup | 10.10.10.162

Hello, I’m back with another active Hack The Box machine Mango writeup. Mango is a medium difficulty Linux machine.

Lets start with adding 10.10.10.162 to etc/hosts file as mango.htb

So, I found 3 useful ports, an SSH 22, a TCP 80 and 443. I started with default webpage, but there was nothing, but a secure page revealed a seach engine like a page.

Other than this page, nothing interesting found, so I went on investigating the certificate because I saw “staging-order.mango.htb” in the nmap results. The certificate of a subdomain I mentioned above, I immediately added it to etc/hosts. Browsing staging-order.mango.htb opened a simple login page:

After analyzing the webpoage I found that the box is running MongoBD as a Backend database. MongoDB is a NoSQL database, so to exploit it we need NoSQL exploiter.

I went looking for MongoDB NoSQL injections I found PayloadsAllTheThings ( https://github.com/swisskyrepo/PayloadsAllTheThings ) has NoSQL injection script. The Github git repo has NoSQL nosql blind injections which may help me.

Before the exploit, I logged-in the page and intercept it using Burpsuit. I add [$ne] after username and password and forward the request, The MongoDB was vunerable because, I got the /home.php without password. So, I was sure that I can exploit the Database using PayloadAllTheThings.

I made a Python script using this repo (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection#extract-data-information).

Here is my script:

After failing several times, I manged to get the script worked and found the credentials of user mango:

mango:h3mXK8RhU~f{]f5H

I made a ssh to mango.htb as user mango and got the access.

I tried to get the user.txt already, but the access was denied, so I need admin’s credentials to read user.txt file. I got a hint from someone in the HTB forum that the admin credentials are stored in the MongoDB I can get it easily.

Getting User.txt

A simple google search showed me the commands to get stored credentials and here are they:

Ok, here I got the user.txt using the credentials I obtanied above.

Now, I have SUIDs and I have permissions to use / usr / lib / jvm / java-11-openjdk-amd64 / bin / jjs. I found out that I can execute them with the flag -scripting and execute system commands from there. Evenmtually, I will get the root in that process. So, I’m going to inject my rsa key first.

Getting Root.txt

Click to rate this post!
[Total: 2 Average: 4.5]

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.
0
Would love your thoughts, please comment.x
()
x
%d bloggers like this: