MANGO-HTB-WALKTHROUGH

Greetings to all the CTF Players. This is the walkthrough of Mango which is  Medium difficulty Linux box.

1.PORTSCAN

 The result shows 3 ports are open.

1. 80
2. 443
3. 22

2. WEB ENUMERATION

on visiting http://10.10.10.162, I got Forbidden error.

From portscan result there is 443 port open, on visiting https://10.10.10.162, I am redirected to a Mango Search Engine.

 I did not find anything on this page but looking at the certificates I found the hostname “staging-order.mango.htb”. Adding the IP and hostname to /etc/host and then try to visit staging-order.mango.htb. We can see a login page.

3. NoSQL INJECTION

 

 

From the box name, I found the mango is not really mango but a wordplay of MongoDB which is NoSQL. With the help of Burp Repeater and PayloadAllTheThings I pass the payload and got redirected to home.php with source_code 302.

I wrote a script to enumerate all username and password. You can find the script here.

https://github.com/S4GAR/MongoDB-Injection.git

4. USER.TXT

Now I have two username and two passwords. Let's try to ssh with them.

1. mango: h3mXK8RhU~f{]f5H
2. admin: t9KcS3>!0B#2

•     ssh mango@10.10.10.162
•     su admin

There is nothing in mango home directory and mango does not have read access to admin home directory. So I did su admin to become admin user and grab the user flag.

5. ROOT.TXT

By running linenum.sh, I found an interesting SUID. From gtfobins, I found that through this we can read files for which we don’t have permissions. So we can read the root.txt flag.