HackTheBox Writeup — Mango
Hack the Box is an online platform where you can practice your penetration testing skills. This is my writeup for the HackTheBox Machine ‘Mango’, which runs a Linux OS and is one of the ‘Medium’ rated machines.
1. Summary
The initial foothold on this box involves exploiting a web application that is vulnerable to NoSQL Injection (MongoDB), which allows us to extract credentials for two users, mango and admin. We SSH in as mango and escalate privileges to admin using ‘su’ with the previously extracted admin password. To get a root shell, we exploit a SUID Binary that allows us to write our public SSH key into root’s authorized_keys file.
2. Enumeration and Initial Foothold (User: Mango)
I began my enumeration by running a full Nmap port scan enabling safe scripts (-sC), service detection (-sV) and all ports (-p-).
The results show SSH on port 22, a web application running on port 80 for which we received a HTTP 403 ‘Forbidden’ response and a HTTPS web application on port 443. I noticed that for port 443 Nmap returned a the server name ‘staging-order.mango.htb’, so I added this to my /etc/hosts file and proceeded to the web application on port 80.
As the server name wasn’t specified for port 80 I didn’t include it in the URL when initially visiting this webpage, and as expected I receive a HTTP 403 response. So I proceeded to port 443 and Firefox warned me that this website uses a self-signed SSL certificate. Inspecting the certificate we retrieve the server name as identified by Nmap and a potential username/email address.
Accepting this SSL certificate presents the page below, however the functionality is limited. At this stage I realised that the box name might be linked to a well-known NoSQL database ‘MongoDB’, although there was nothing exploitable on this web application.
I took a step back and decided to try the server name on Port 80 instead of the IP address and we get a login page instead of a HTTP 403 response.
I knew I had a potential username/email with ‘admin@htb.local’, but no credentials. I did some research on MongoDB vulnerabilities and found a NoSQL Injection vulnerability that would let me bypass authentication and extract usernames/passwords based on the HTTP 302 URL-Redirects received from the web application. The most useful resources that helped me understand this were:
- PayloadAllTheThings;
- A Medium article by Fiddly Cookie;
I decided to test this exploit within BurpSuite with the admin@htb.local username. By intercepting the login request, sending it to repeater and altering the username and password fields to include the MongoDB ($ne) operator along with a test character ‘a’. We get a HTTP 302 URL-Redirect response to a new webpage: http://staging-order.mango.htb/home.php
The page that is found is rather uninteresting but it confirms that our exploit works and we can use this to find the usernames and credentials for this web application.
To extract usernames and passwords, I ended up using an open-source Python script from Github written by an0nlk. I did attempt at writing my own Python script to do this, but certain characters continued to evade me. I guess I need to brush up on my regex.
Username Extraction Command:
python nosqli-user-pass-enum.py -u http://staging-order.mango.htb
-up username -pp password -ep username -m POST
Password Extraction Command:
python nosqli-user-pass-enum.py -u http://staging-order.mango.htb
-up username -pp password -ep password -m POST
As shown, we get two sets of credentials:
- Mango : h3mXK8Rhu~f{]fh
- Admin : t9KcS3>!0B#2
After trying both of these credentials in SSH, we gain the initial foothold as the Mango User.
4. User — Admin
Since the admin user can’t login with SSH, I guessed that the password identified could be their user account password. I tried logging as admin using ‘su’ with the password and we get a shell, which also lets me grab the user flag.
4. Root
The path to root began by transferring LinPeas.sh (Linux Enumeration script) from my Kali machine to the Mango box using Python SimpleHTTPServer and Wget. The two main results that stuck out from this script were:
- Root is able to login via SSH.
- A uncommon SUID binary ‘jjs’, which is part of a Java 11 install.
The SUID is shown below using a command that finds all binaries with the SUID bit set, which is then piped to grep to only show the interesting jjs file.
After some further research surrounding jjs, I looked at potential exploits on GTFOBins. I believe there were numerous different ways of getting a root shell using jjs, such as cron jobs or even just retrieving the root.txt flag without getting a shell. However, since I saw SSH was enabled for root I went down this path and began writing an exploit using jjs to write my public key into root’s authorized_keys file.
The majority of the exploit is shown below, however the terminal kept wrapping around so the third command that included my SSH public key wouldn’t show. The third command simply was:
- jjs> fw.write("ssh-rsa <ssh public_key ... jdr@example.com>");
Once we exit jjs and come back to the directory where the corresponding private key is located on our local machine, we can login as root via SSH and obtain the root.txt flag.
Conclusion
This was the 4th machine I managed to complete on HackTheBox and my first ‘medium’ rated machine. This was by far my favourite box yet and I really enjoyed learning about and exploiting the NoSQL Injection vulnerability, however the Mango → Admin privilege escalation was slightly rudimentary and would have preferred an extra challenge at this stage. Nevertheless, a fun box and a great machine to tackle if you’re looking to make the transition from Easy → Medium rated machines.
- HackTheBox Profile: https://www.hackthebox.eu/profile/232696
Keep an eye out for my future write-ups!
