Mango - HTB Writeup
Mango
Information Gathering
Nmap Port Scan
Nmap Script Scan
Service Enumeration
Nikto Web Scan on Port 80
FFuF Web Enumeration on Port 80
SSL Scan on Port 443
Nikto Web Scan on Port 443
FFuF Web Enumeration on Port 443
Web Enumeration on Port 80
Web Enumeration on Port 443
Penetration
Login Page MongoDB Exploitation
The login request is moved to Burp for further enumeration. Basic SQL injection tests show that the database is not SQL injectable. Testing with an [$ne]=
(the equivalent to a ' OR 1=1-- -
for the MongoDB NoSQL back-end database) shows that user input sanitization is being performed on the login form. This returns a 302 Found instead of the 200 OK response.
We can use this piece of information to enumerate the database and find the true administrator password. A Python script is below that shows the automated enumeration of these credentials.
This admin password is not useful for any of the other services on the target. We can try more users with the initial payload, and then the second exploit to find their passwords. Using the name of the box we can attempt the mango
user and we find the following credentials: mango:h3mXK8RhU~f{]f5h
Mango User Shell
We can SSH in as the Mango user, but they do not have ownership of anything.
Privilege Escalation
Admin User Shell
While we cannot SSH into the target server as the admin user the admin user does exist on the target machine and by using the password found in the database initially we can pivot to the admin user and read the user flag.
JJS SUID Binary Exploitation
Quick enumeration with automated privilege escalation enumeration scripts shows that a SUID is set on the target host for the binary at /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
and is running with root-level permissions by all users. This is a publicly known SUID GTFO Binary which means that there is public documentation on how to utilize these permissions for privileged file reading and a privileged shell. The second screenshot below shows the process for a privileged file read, as we read /root/root.txt
on the target server. The second screenshot shows the privileged file read that allows us to copy our public key into /root/.ssh/authorized_keys
. After performing this exploitation we can SSH in as root on the target server.