12/2020
Target IP: 10.10.10.162.
The victim machine is a Linux machine hosting 2 web applications. Foothold acquired by exploiting SQL injection on NoSQL database via the log in form on staging-order.mango.htb . Successful exploit expose 2 user credentials which is then used to get SSH connection.
A misconfiguration allows admin to run JJS – a tool that invokes Nashorn engine under root privilege. PE and root flag acquired by overwriting ssh authorization file /root/.ssh/authorized_keys .
medium
User: 5c783a0d3ace3376ac7715b6ddab4fdf
Root: 2b3242254a20455fb626b6c7fd031dfe
Nmap service scan.
! Discover services: OpenSSH 7.6p1 (22), HTTP Apache 2.4.29 (80), HTTPS Apache 2.4.29 (443)
! Web application on port 80 refuse connection with code 403 - forbidden.
Examining web application on port 443.
! The web app on port 443 resembles Google search engine.
! Most of the buttons point to the main page.
! /analytics.php is live.
Examining /analytics.php.
! nothing seems to work on this site.
! Adds staging-order.mango.htb (from nmap scan result)to host file.