HTB Mango Writeup

Mango is a good linux based machine to improve your enumeration skills you might learn some new things from this.


nmap -sC -sV

Opening the host in our browser on port 80 we are presented with an 403 forbidden error so we tried opening the host on 443 and got this.

Now this looks like a search engine let’s check the source code
after looking at the source code we couldn’t find anything there
let’s check the nmap report again

| ssl-cert: Subject: Prv Ltd./stateOrProvinceName=None/countryName=IN

Adding this to our /etc/hosts
$ echo "" >> /etc/hosts

We can browse
Here we can see a login panel like this

After trying random credentials we got nothing.
Here mango could be a wordplay on mongoDB
mongoDB is a NoSQL database to exploit it we need to search mongoDB NoSQL.
To confirm this we went to this github repo and tried authentication bypass.

Basic authentication bypass using not equal ($ne) or greater ($gt)


In response we got HTTP/1.1 302 Found

After searching about it we came across a github repository which can enumerate Usernames and passwords of NoSQL (MongoDB) injecion vulnerable web applications.

After running the script we have now 2 credentials

We can connect the user mango from SSH with the password we get earlier.

#ssh mango@
mango@'s password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
System information as of Fri Apr 17 05:33:13 UTC 2020
System load: 0.12 Processes: 117
Usage of /: 25.9% of 19.56GB Users logged in: 1
Memory usage: 16% IP address for ens33:
Swap usage: 4%
Canonical Livepatch is available for installation.
Reduce system reboots and improve kernel security. Activate at:
122 packages can be updated.
18 updates are security updates.
Failed to connect to Check your Internet connection or proxy settings
Last login: Fri Apr 17 05:14:54 2020 from

we got the shell
Nothing is here on this user we can’t find any user flag checking the home folder to find the flag in other user we couldn’t get into it.
But we have an admin password let’s try to switch mango to admin with the password we got previously.
su admin
it worked

mango@mango:~$ su admin
$ whoami
$ cat /home/admin/user.txt

Now main part is to get root flag
To get an idea for privilege escalation we can run LinEnum here.
curl | bash
reading the output of LinEnum we saw this line

We searched about this on google and saw this
We can print root.txt from this

We got the root flag but still we don’t have root shell but we can write our SSH public key to authorized_keys to get ssh access as root.


You can print root.txt or can get root shell by using -scripting flag.

To get shell you can use same method.

Here we got out root shell.

Hope you like it.

Leave a Reply