🟡mango

NOSQL INJECTION | MONGO - DB | BINARY "JJS" | SSH KEY TO PRIVESC

port scan

port 22 , 80 , 443 are open script scan :- give us a name of the domain running on port 80 domain name :- staging-order.mango.htb

website (80)

the page returns 403 <forbidden> on ip address , i think we have to add the host in etc/host before we access this page. yes ..... now its working with admin pannel on it

directory scan

i done 2 directory scan one for <http://staging-order.mango.htb> & other for <https://10.10.10.162>

http://staging-order.mango.htb

/home.php
/index.php
/vendor                            >> brute force again
/vendor/collection/installed.json

i found some php and json files in this directory and i find this particular json file useful

http://staging-order.mango.htb/vendor/composer/installed.json

After reading the file i get to know that , the application is using MongoDB on server side ......this gives a shot to test Nosql injection

https://10.10.10.162/

/index.php        >  home page
/analytics.php    >  i found nothing useful here

No-sql injection

NoSQL InjectionMedium

PayloadsAllTheThings/NoSQL Injection at master · swisskyrepo/PayloadsAllTheThingsGitHub

shell as mango

i used payload to bypass the authentication , but their is nothing inside .......i need credentials, so as we dealing with nosql we can use some payload or script in orderto retrieve data i used script but here are also some manual payloads :-

username[$ne]=abc&password[$ne]=xyz&login=login    > to bypass authentication

username[$regex]=abc&password[$ne]=xyz&login=login    > brute-forcing username

username[$regex]=a    >    checking that particular alphabets "a" come in name or not

=a    >    checking alphabet existence
=^a   >    checking the first alphabet of username
=^a.* >    full-payload

i got credentials , now lets try ssh i tried admin creds first but i fail , so i tried mango creds and BOOM......we are in

privesc mango => admin

and enter password we found using nosql injection

su - admin

privesc admin => root

linenum.sh

i found a binary name "jjs" in path "/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs" with both SUID lets do some search and i found something on GTFObins its a java binary which can be use for :- file read file write reverse shell and some more functionalities ...... i first tried reverse shell , but i get the shell with again admin user , but i need it as root user Next i tried file read , but it wouldn't work for me , now only option left for me is to a write a file so , i decided to write ssh key using jjs so i came back to my machine :-

ssh-keygen

i named the file "mango" and i got 1 private key "mango" & 1 public key "mango.pub" we use public key to write it in target machine and use private key to login, so i copied the "mango.pub" content and paste it inside jjs file-write payload & directory = /root/.ssh/authorized_keys login using private rsa key

ssh -i mango root@10.10.10.162

and BOOM...... we got the shell as root

PreviousNode NextPostman

Last updated 2 years ago

hashtagport scan

hashtagwebsite (80)

hashtagdirectory scan

hashtaghttp://staging-order.mango.htbarrow-up-right

hashtaghttps://10.10.10.162/arrow-up-right

hashtagNo-sql injection

hashtagshell as mango

hashtagprivesc mango => admin

hashtagprivesc admin => root

hashtaglinenum.sh