The walk through of mango box from HTB.

Description:

This is a Medium-Linux box teaches us enumeration and trying every possible solution and idea, who knows maybe the idea in your mind is the right way.
This box has a no-sql database which was vulnerable and can give us the user permissions, and the user can read files with root permissions so, let’s see how to pwn this mango!

[1] Information gathering:

We start with nmap tool to scan open ports and know services running on these ports.

# Nmap 7.80 scan initiated Fri Feb 21 02:41:21 2020 as: 
nmap -sV -sC -A -p- -T 4 -oA nmap mango.htb
Nmap scan report for mango.htb (10.10.10.162)
Host is up (0.17s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp  open  ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.29 (Ubuntu)
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
8000/tcp open  http    PHP cli server 5.5 or later
|_http-title: 404 Not Found
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/21%OT=22%CT=1%CU=40926%PV=Y%DS=2%DC=T%G=Y%TM=5E4F2A9
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 111/tcp)
HOP RTT       ADDRESS
1   256.69 ms 10.10.14.1 (10.10.14.1)
2   256.70 ms mango.htb (10.10.10.162)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb 21 02:55:59 2020 -- 1 IP address (1 host up) scanned in 878.49 seconds

I added [staging-order.mango.htb] to the /etc/hosts and started to enumerate every port as usual.
I didn’t find any interesting files or directories by gobuster.

I visited https://mango.htb/ and i found a search engine but it didn’t work.

And the analytics in the high right corner took me to /analytics.php page and i found

I added codepen.io to the /etc/hosts and i visited https://codepen.io/analytics.php and i found

It was a rabbit hole and wasted my time :”)

[2] Scanning:

I started to enumerate the another sub-domain so I visited https://staging-order.mango.htb/ that i typed on /etc/hosts but i didn’t find anything so, i visited http://staging-order.mango.htb/ and i found a login page

It took me a long time and i though it’s not vulnerable but i tried to scanning it against the no-sql databases and i found that it had the Mongo-db and when i intercepted the request and edited it to be as follow:

The bypass was successfully worked and it took me to

[3] Exploitation:

For now we have a no-sql injection and after some searches on google to exploit this type of databases i found that i can enumerate all users and passwords on that database, and i found a nice script to automate this process