System Summary
Initial Enumeration
The nmap scan shows that there are only SSH, HTTP and HTTPS ports open.
Connecting to the website using HTTPS we receive a warning SSL
certificate: it discloses the hostname
staging-order.mango.htb
Adding the hostname to our hosts file we can connect and we see a login
form.
Trying with bruteforcing gives no valuable result.
Also SQLmap for injection, but it seemed not vulnerable.
We can then check for other backend database and, since the name of the box is mango, mongoDB looks a good candidate
Initial foothold
The injection in mongoDB is explained here
- https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf
- https://blog.0daylabs.com/2016/09/05/mongo-db-password-extraction-mmactf-100/
The basic idea is to subvert the parameter passed by the URL: instead of numeric or string values we want to pass objects like array.
In the standard POST request we normally pass three parameters
username=admin&password=pass&login=login
Think what happens if we choose to pass a different thing like
username=admin&password[$regex]=something&login=login
where "something" is a valid regular expression, the application will behave in different ways
Let's use a ".*" regex (Burp repeater is very helpful) and see:
We get a HTTP 302 reply
Now use a "A.*" as regex:
And we get a HTTP 200
What's the difference?
- .* will match any password
- A.* will only match a password that start with A
So the reply 302 can be used to find password by repeating the POST request with different values
For this fase we can choose either to script or to use Burp Intruder module.
We'll proceed with the Burp Intruder
- attack type is Sniper
- payload is bruteforce with length 1
- Charater set: all alphabet
With a similar approach we have to test capital letters and we find {B, K, S}
Also for special characters and we find {!, #, $, ^, >, \, .}
An important note here is that some special character has a special meaning in regex ($ \ . ^)so we may have found some false positive:
- ^ is start of line
- $ is end of line
- . is "any character"
- \ is escape simbol
They can be matched in the regex but only by escaping them with a prepended \.
The best option is to exclude them from the alphabet until and check for them separately
Now we have the components of the password {c, t, 0, 2, 3, 9, B, K, S, !, #, > } but we don't have them in the order.
The regex to check the first character is
username=admin&password[$regex]=^§§.*&login=login
- ^ means start of line
- §§ is the Burp payload
- .* is the remaing part of the password
We have this result:
So (discarding the space), we should have only one "302" reply, that corresponds to t character
The first character of the password becomes t
The next attack string is now (note the added t as first character)
username=admin&password[$regex]=^t§§.*&login=login
And we get:
So the second character of the password is 9
The next attack string is
username=admin&password[$regex]=^t9§§.*&login=login
looping this attack we can get the password of Admin: t9KcS3>!0B#2
Using the same approach to username we can discover additionally user and password
- User: mango
- Password: h3mXK8RhU~f{]f5H
In this case escaping may be needed inthe attacking regexp, like (note the backslah)
username=admin&password[$regex]=^h3mXK8rhU\§§.*&login=loginWith SSH we find that user mango is valid and we have an initial access.
User Flag
As user mango there is no user flag, but the passwd file shows an admin user.We can su and get the flag:
Root flag
Using standard enumeration tools (LinEnum or similar) we can find a SUID file name jjs which is part of Java package.
This can be user to execute inline scripts and it can be used to read files, execute files, etc.. as explained here: https://gtfobins.github.io/gtfobins/jjs/
We can steal the root flag by reading its content:
Where the number are the decimal ASCII code of the character (56 -> 8, 97 -> a, etc....)
The root flag is then 8a8ef79a7a2fbb01ea81688424e9ab15
it is an interactive interpereter that can be use to
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.