HTB Writeups

Mango WriteUp – HackTheBox

December 15, 2019

Enumeration:

Enumeration is pretty important as we all know. So the first thing we do is run an nmap scan to see which ports are open and what is running on that machine.

We can see that we have 3 ports that are open – 80, 443 and 22.

Initial Foothold:

For me the start of this box was hell. It was like that because I didn’t look close enough in the nmap results. So I needed to ask on the discord chat for help. But let me explain. By examining all the ports we can see that we have an http server on port 80. If you try to see what page you get you will get a 403 page. Port 22 is the ssh port but we still don’t have any credential for it. So we are left with port 443. To display the page use the link https://10.10.10.162:443/. This will lead us to a google like page.

If we go back to the nmap results we can see that there is a certificate for the HTTPS port (443). This certificate is for the subdomain “staging-order.mango.htb”. This is the hidden page that we need. To be able to access this Vhost you need to add some stuff to your “hosts ” file. Check the picture bellow. Use “vim /etc/hosts” to edit the file.

Now in your browser search for the host.

Getting User:

What rhymes with mango and it is something we can use? The answer is MONGO which implies that the technology we need to exploit is MongoDB. MongoDB is a NoSQL database so … I searched how to exploit that and I found something really interesting in the forum. PayLoadAllTheThings will help you to find a NoSQL script you need. May be you need to modify it. You can use this script and search against two user names: “mango” and “admin”

Password for user: mango
Password for user: admin

After you obtain both passwords SSH inside the machine as user mango.

As you can see we can’t access the user.txt Also this file is located in the admin folder. So the logical thing is to switch user plus we have the password for “admin”.

And here you go you have the “user” flag.

Getting Root:

For me getting the root flag was much easier than getting the user one. After browsing in the forum I found something that people were suggesting. Read the GTFOBINS to find the proper script or look at the picture bellow.

This will only show you the content of /root/root.txt. It will not make you root on the system.

Conclusion:

Enumerate as much as you can. If you find something that you do not understand google it first then if you are still confused ask for help in the forum or the discord server. People there are really nice and helpful.

https://forum.hackthebox.eu/ ==> forum
https://discord.gg/B2UAmY ==> HTB Discord Server

Related Posts

Blunder Hack The Box

Blunder Writeup – Hack The Box

June 9, 2020

Protection ByPass and Brute Force attack – Bludit v. 3.9.2

June 9, 2020
Armagedon HackTheBox

Armageddon Write Up – Hack The Box

April 21, 2021

Leave a Reply

Your email address will not be published. Required fields are marked *