Mango

Rooted!!

User: Think of machine name combine with what on PayloadsAllTheThings repository :slight_smile:

Root: 4755

PM me if you need help

Rooted!

This box teached me some things the hard way! Thanks for this box, had a lot of fun!

Hi , can someone help me with this machine ? Got login page and working around few scripts and just don’t know how to exploit it ? Please inbox me , thank you

Need a nudge if possible, probably doing something dumb

I’ve found

sg-or.m*o.hb

by looking at he transactions with port 443

but it doesn’t resolve into anything, do I have to gobust?

EDIT: I was being extremely dumb…

EDIT EDIT: At the login page are we supposed to get the password and use it elsewhere, or can we pop a shell at this stage, with some mango magic (?)

Once again I am reminded of an OTW chal I did. I like it. Made me dig out some old code and I could reuse it again. Thanks for the awesome machine. Didn’t take nearly as long as I thought at the start to complete.

Just rooted this box, have to say it’s easier than I thought it would be.

Hints: dirb (or any other similar tool) is unlikely to help, you won’t guess the passwords (if you do then you should be working for GCHQ/NSA) but guessing the backend system should be easy - once you know that look for a script on the inter-web that can help get the credentials. Once you have the credentials it’s straightforward to get root from there (basic linux stuff).

Nice box, I enjoyed it. :slight_smile:

Root and User today. Shout out to @sebiV for hints!

So much to learn, and enjoying every minute.

Rooted !! Thanks @plackyhacker , one more root flag is needed till I say bye bye to 2019 :),

I guess its a happy 2020, key is expired )
ErrorLicense key not found.
Please set your key in the component configuration. A trial key can be obtained at www.flexmonster.com.

Read more info about this error

got login page
but I try a lot of payload about “mango”
in PayloadsAllTheThings repository
input to username&password
i only got same response

can someone help me

Type your comment> @TWHackerCat said:

got login page
but I try a lot of payload about “mango”
in PayloadsAllTheThings repository
input to username&password
i only got same response

can someone help me

I am stuck in the exact same place. I’m gonna take a break and see if that helps. :slight_smile:

edit: it did help! calmed down and searched about stuff I already knew + the keyword Extract and found some more useful info that got me over the hump.

edit again + 1 hour: rooted. that is definitely easier than user. PM me for hints.

I’m glad I stuck it out. :slight_smile:

anyone can help? i found the login page, and used the little 302 machine to squeeze password out of a**** and m****, but none of them seems to be working while i use it at the login page. any trick in the 302 machine?

Rooted, NVM:)

Rooted the machine!
At end it wasnt very hard, each step is ‘simple’ but the problem for me it was i didnt know some specific knowledge to solve each step…!
:slight_smile:

root@mango:~# hostname; id
mango
uid=0(root) gid=0(root) groups=0(root)

This mango is taste good enough! Thanks to creator @MrR3boot for the machine!
I like box where you need to write custom exploit. Root is was easy. There is a multiple way how to root using the same binary - try to play with it

P.S. Rank up after ending this machine :slight_smile:

So, I got root (even root shell) and user on Mango. However, getting to know what users to crack and what backend to exploit were primarily from hints here on the forums. Can someone message me with how you would have got to these two points with no prior knowledge or nudges? I checked on walk-throughs (the ones where to you need to root.txt to access the walk-through, but they all just make ‘assumptions or guesses’ about these two points which leads me to believe they also just followed hints from the forums.
I ask, since in real world pentesting, I won’t be able to just ask around and get those hints. Just want to learn all I can to be effective on the OSCP exam and in real life. Thanks!

Can someone please nudge me towards the login page, can’t seem to find it despite reading the tips here, thanks!

Edit: nvm, found it after tweaking my recon tools

need help to escalate from m***o to admin in ssh … anyone please

edited- own user.txt

@PlayerThree said:

In the end it was one silly character (^) that cost me hours of time and countless hairs on my head. PM me if you need any hints.

I was about an hour deep and this comment probably saved ME hours! Good looking out! Box finally rooted! pm for nudges

Just Rooted, Thanks to creator @MrR3boot
have some much fun and things to learn in this juicy mango box

I need help with the script. it prints 5 characters for a**** and 15 characters for m**** so i tried to login with m**** but it doesn’t work. can someone help me with the script.

edit: was able to get user.txt. I can’t figure out root at the moment