Mango is a vulnerable machine with Linux operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full port scan
As a result of port scanning, 22/tcp ssh OpenSSH 7.6p1, 80/tcp http Apache httpd, 443/tcp ssl/http Apache ports are open. In the port scan, we encountered commonName=staging-order.mango.htb in the ssl section, so we added both subdomain and domain to the hosts file.
we encountered a forbbine error when we went to pot
We ran a Gobuster scan and got nothing.
We accessed via https which is port 443
We looked at the source code in wepanalayzer in developer mode and couldn’t find anything.
We only saw /analytics.php in the web interface and we could not get any information here.
We ran a scan with Gobuster and still no results
Let’s look at the subdomains we detected in the last nmap scan
We looked at the web interface, we looked at the source code, we looked with webanalayzer, we could not get a result, we did a scan with gobsuter
Sonuç bulamadık
Let’s look at the input values here and see what we can do
We tried defautta passwords in the admin password section, we could not log in successfully, Forgot Password butpno does not work.
Let’s intercept with burp suite and listen to it
Here we saw username=admin&password=admin&login=login where we tried sqlinjection attacks but without success.
We are trying nosql injection attack
https://book.hacktricks.xyz/pentesting-web/nosql-injection
Let’s try the attack management given here
username[$exists]=true&password[$exists]=true
After sending it here, it goes to the /home.php page, but here it says that the page is not working.
There is a nosql vulnerability here, we are looking at the hacktrick part to exploit it, we can get the users inside out
We used this tool
First we downloaded this tool and then we looked at the use of this tool.
2 username(s) found:
admin
mango
h3mXK8RhU~f{]f5H
t9KcS3>!0B#2
We have detected credential information
let’s try to make a ssh connection with this information
We logged in using the information mango:h3mXK8RhU~f{]f5H
Here we request the admin user to get the use.txt flag, we change our user authorization by doing this, thanks to the credential information we obtained.
We got our user flag, but we did not have our aroot etimizi, so we provide local enumeration
We came across jss, this thing appeared under the home directory.
Let’s look at it from the gtfobin folder, is there a method of exploding it?
Suid
sudo install -m =xs $(which jjs) .
echo “Java.type(‘java.lang.Runtime’).getRuntime().exec(‘/bin/sh -pc \$@|sh\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)’).waitFor()” | ./jjjs
let’s modify this command to suit ourselves
After exec ten
‘cp /bin/bash /tmp/exec’
Copy bash to the tmp directory
Then we made this exec run in the group
We run it with root authorization with -p
In this way we can obtain root privileges