Mango

1171819202123»

Comments

  • That was a great box!
    User was quite harder than root honestly. But learned a lot and got to taste the juiciest mangoes.

    Obligatory hints:

    User:

    Never ignore any error.
    Most of the time the machine's name have relation with the attack vector.
    Bruteforcing is a pain in the ass, not just for you, but more for others. Write a script instead ;)

    Root:

    Enumerate, that's enough. lol!

    Thanks @MrR3boot for this awesome box!

    heisenb3rg

  • Got it. Been working on this one all weekend. With the hint here I got root this morning.

    Things I've learnt: I need to get better at python and building my own scripts, or modifying POCs that float around from time to time.

    Good box. User was something new for me. Root was something new... still but very easy.

    Cheers!

  • ROOTED SUCCESSFULLY !
    I've learned a lot from this box and had good experience
    a lot of thanks to @MrR3boot for this awesome box and @traut for helping me

  • Got User & Root Flag. What a nice machine, getting the user was the most interesting part. There were many rabbit holes but still made my way through. Thumbs up

  • This is my first medium level box. Is the l*****e k*y error on a********.**p page normal? I read back in a few pages of the discussion and looks like some people were able to load up data but I just see the error. I am leaning towards a rabbit hole but figured i would check first. Thx.

  • edited April 8

    Fun machine, to be honest there were things I did not expect and made me feel like: 'wtf'...

    As a hint for all the people not knowing where to look for Mangos.... If you've found the Login page, think about how Login normally works, think about where the username and password are checked, data persistence bla bla bla... this should be enough to get your Mango going. This is for user.

    For root flag, start snooping around the system, see what you find and might be helpful, #gtfobins.

    Cheers to @MrR3boot for this machine :)

    Hack The Box

    it ain't much but it's honest work

  • edited April 8

    Type your comment> @0xbadbac0n said:

    So my feedback...
    getting the initial step in was horror..i run totally into a rabbit hole with the analytics tab x(
    After I understood the box name, fixed my etc hosts becoming user was pretty straight forward...
    root took me just a couple of minutes in the end.

    It was nice to learn, to stick to the basics and do not overcomplicate ;D

    funny sidegag I just experienced in the forum.. try to post
    / e t c / h o s t s
    as normal text in a message xD

    yeah, I was looking for /etc / hosts like you did!
    it was really funny... "you got root! just kidding" lol

    v4lerio

  • This box required me to research and learn some new topics. Root done!

  • edited April 9

    Need a nudge on how to use the commonName to find the login page pl0x!

    EDIT: Disregard

    pHuR1u5

  • Thanks @MrR3boot, amazing machine! Learned a lot. You should make Prophet or MarioDB machines too ;)

    sparrow1

  • edited April 10

    I guess I understand all the hints, but not enough to know what to do with them. Would someone who's got the box already be willing to PM and let me say what I think - I'm fairly sure I'm going in the right direction.

  • At the end read root.txt.
    Here is my hints:

    • user: find web page to login (but not login) ; try to inject some code (but not sql inject)
    • root: enumerate and gtfobins

    PM me if you need help.
    (and if someone can explain me how to get a root shell please PM me).

  • Oh. That so weird for me. Can someone explain why? How? Is this a real-life scenario? I'm about the response we get.
    Hints: actually I don't know what else add, all already in the forum.
    PM for if you need help, ill try to help)

  • What a sweet box this was. Even though I wasted hours and hours on useless dirbusting (there's absolutely no need for any of that - you see all web pages you need without any guessing), I'm not even angry. I'm GLaD. Thanks to all who left hints here. I'm sure I'll still be banging my head at more rock(you)s if not not for those who finally made me understand what indeed a Mango is. It's not a fruit of a coconut family, and you don't need to be "a female priest who gave people wise but often mysterious advice" to figure this out.
    Anyway, even though I have both keys to claim the box, I'm still not sure how to get the final shell. Anyone would like to share with me the last command?

  • Rooted. Any hint to get a shell as root?

    Thank you.

  • edited April 13

    I have found the login page. I know what is running behind and I managed to extract a password which doesn't seem to fit anywhere.
    Can anyone please PM me for little guidance? Thank you in advance.

    EDIT : Rooted!
    Thanks to EvilT0r13 for the guidance. Thanks to MrR3boot for the great machine. :)
    Feel free to PM if needed assistance.

  • I think it's time to retire this machine. Some douche made a post that spoils the whole thing.

  • I was finally able to get root struggled a little longer with the syntax then I should have. If anyone needs a nudge.

  • edited April 15

    rooted.
    Can someone DM me about how we know whats running on the back-end besides a guess?

    Also, this box is prob a lot easier now that there is a ready to go script for extraction..

  • Rooted. Fun box. Thanks @MrR3boot

    I found rummaging around in the trash gave some handy goodies for getting a shell after the more obvious stuff seemed rubbish.

  • Hey guys i got the access to the logins and all but i don't understand why it worked if someone could pm me to explain me a thing or two it would help me a lot thanks

  • Fun box and similar to a trophy machine on OSCP. Root was fine if you are used to a certain programming language environment, else there'll be some research involved.

    corpnobbs
    OSCP | OSWP | so much more to learn ...

  • edited April 17

    Finally rooted. really fun box. Thanks @MrR3boot for amazing box.

    for gtfo use "bash" instead of "sh".

  • Great box, I learned a lot, thank you @MrR3boot

  • @MrR3boot

    I don't recall this error I'm seeing on the box.

    Current key is only applicable for *.codepen.io.
    Read more info about this error
    You are trying to use the following key: Z7O0-XHE57Y-4E612Q-0Z331K-0U6G1B-525E0Z-150F5Q-5V521M-4O3O4B-41

    I'm guessing a key is past trial or something. Last I recall the website let me see the charts and such.

    Will this affect my attempt to own this box before reset?

  • Type your comment> @PrivacyMonk3y said:

    @MrR3boot

    I don't recall this error I'm seeing on the box.

    Current key is only applicable for *.codepen.io.
    Read more info about this error
    You are trying to use the following key: Z7O0-XHE57Y-4E612Q-0Z331K-0U6G1B-525E0Z-150F5Q-5V521M-4O3O4B-41

    I'm guessing a key is past trial or something. Last I recall the website let me see the charts and such.

    Will this affect my attempt to own this box before reset?

    Not at all

Sign In to comment.