Buy Me A Coffee


->Mango




Step 1 :

Run Nmap Scan



We can see SSH,HTTP,HTTPS are open


Step 2 :

Go to The Website , We Can see the site is forbidden

So Go to HTTPS,and we can able to see its SSL certificate By Going through Advanced -> Continue.
Host Name is Given In Certificate "staging-order.mango.htb"










Step 3:



Add Host name to the /etc/hosts file





Step 4:



Go the site now , and its accessible






After Some Enumerations,I found it have NoSQL Injection




Exploit part



Pass the Given Value And we got 302 FOUND,instead of 200 OK






Step 5:


Search For Exploit and Found A python Script For Username And Password Enumeration







Step 6:



Exploitation Using Python Script , And We Got 2 USERNAMES and 2 PASSWORDS















Step 7:



Try SSH With Given Creadentials And We Can Able to login to Mango User





Privilege Escalate To Admin From Mango With The Creadentials We Got Earliar Using Python Script And We Can Able to Login To Admin


Read The user.txt from Admin




Step 8:

Priviliage escalate from Admin to root , Search For SUID Binaries





We Can See jjs is in There and in "ls -la" Command also we can see jjs.history




Step 9 :



Search For jjs in GTFOBins and we Got We can read file using jjs exploit



Now We Can read the root.txt