OSCP PREPROTİONS – HTB Mango

Mango is a vulnerable machine with Linux operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full port scan

As a result of port scanning, 22/tcp ssh OpenSSH 7.6p1, 80/tcp http Apache httpd, 443/tcp ssl/http Apache ports are open. In the port scan, we encountered commonName=staging-order.mango.htb in the ssl section, so we added both subdomain and domain to the hosts file.

we encountered a forbbine error when we went to pot

We ran a Gobuster scan and got nothing.

We accessed via https which is port 443

We looked at the source code in wepanalayzer in developer mode and couldn’t find anything.
We only saw /analytics.php in the web interface and we could not get any information here.

We ran a scan with Gobuster and still no results

Let’s look at the subdomains we detected in the last nmap scan

We looked at the web interface, we looked at the source code, we looked with webanalayzer, we could not get a result, we did a scan with gobsuter

Sonuç bulamadık

Let’s look at the input values here and see what we can do
We tried defautta passwords in the admin password section, we could not log in successfully, Forgot Password butpno does not work.
Let’s intercept with burp suite and listen to it

Here we saw username=admin&password=admin&login=login where we tried sqlinjection attacks but without success.
We are trying nosql injection attack
https://book.hacktricks.xyz/pentesting-web/nosql-injection
Let’s try the attack management given here
username[$exists]=true&password[$exists]=true

After sending it here, it goes to the /home.php page, but here it says that the page is not working.
There is a nosql vulnerability here, we are looking at the hacktrick part to exploit it, we can get the users inside out

We used this tool
First we downloaded this tool and then we looked at the use of this tool.

2 username(s) found:
admin
mango
h3mXK8RhU~f{]f5H
t9KcS3>!0B#2
We have detected credential information
let’s try to make a ssh connection with this information
We logged in using the information mango:h3mXK8RhU~f{]f5H

Here we request the admin user to get the use.txt flag, we change our user authorization by doing this, thanks to the credential information we obtained.

We got our user flag, but we did not have our aroot etimizi, so we provide local enumeration

We came across jss, this thing appeared under the home directory.
Let’s look at it from the gtfobin folder, is there a method of exploding it?

Suid
sudo install -m =xs $(which jjs) .
echo “Java.type(‘java.lang.Runtime’).getRuntime().exec(‘/bin/sh -pc \$@|sh\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)’).waitFor()” | ./jjjs
let’s modify this command to suit ourselves
After exec ten
‘cp /bin/bash /tmp/exec’
Copy bash to the tmp directory
Then we made this exec run in the group
We run it with root authorization with -p

In this way we can obtain root privileges