Buy Me A Coffee


Step 1 :

Run Nmap Scan

We can see SSH,HTTP,HTTPS are open

Step 2 :

Go to The Website , We Can see the site is forbidden

So Go to HTTPS,and we can able to see its SSL certificate By Going through Advanced -> Continue.
Host Name is Given In Certificate ""

Step 3:

Add Host name to the /etc/hosts file

Step 4:

Go the site now , and its accessible

After Some Enumerations,I found it have NoSQL Injection

Exploit part

Pass the Given Value And we got 302 FOUND,instead of 200 OK

Step 5:

Search For Exploit and Found A python Script For Username And Password Enumeration

Step 6:

Exploitation Using Python Script , And We Got 2 USERNAMES and 2 PASSWORDS

Step 7:

Try SSH With Given Creadentials And We Can Able to login to Mango User

Privilege Escalate To Admin From Mango With The Creadentials We Got Earliar Using Python Script And We Can Able to Login To Admin

Read The user.txt from Admin

Step 8:

Priviliage escalate from Admin to root , Search For SUID Binaries

We Can See jjs is in There and in "ls -la" Command also we can see jjs.history

Step 9 :

Search For jjs in GTFOBins and we Got We can read file using jjs exploit

Now We Can read the root.txt