Mango

Best box for ages. Thanks @MrR3boot

@BinaryStrike said:
really a jjjjuicy machine !!! Thanks for the machine @MrR3boot !!!

@izzie said:
Best box for ages. Thanks @MrR3boot

@halisha said:
r00ted, enjoyed the machine.

Glad you had fun with Mango :slight_smile:

Rooted this morning, really amazing box and big thanks @MrR3boot ,the the scripting part was quite bit frustrating :), learn something Important for any successful Penetration tester don’t bypass anything without check further.

Type your comment> @Impulse said:

For people who have no idea where to begin once u get the login page

The box is named for a reason … Once u get that hint
there is a good blogpost literally explaining the entire user process :slight_smile:

I found this blog post, but only by accident, otherwise I never would have had the remotest chance of getting father (I’m a big noob). Curious to know the thought process of people who figured this out on their own. Is this a known thing that if you got the hint the name of the box alone would make you realize to try, or are there things you are doing in enumeration that would tell you that this exploit would work?

@Icyb3r said:
Rooted this morning, really amazing box and big thanks @MrR3boot ,the the scripting part was quite bit frustrating :), learn something Important for any successful Penetration tester don’t bypass anything without check further.

Welcome :slight_smile:

Rooted.

I agree to understand how to play this machine.
Brainfuck for me to get,

“rhyme mango” , “hint mango”

I think soooooo far.

I learned a lot on this machine.

Thank you

User : no comment
Root : gtfobins is best friend.

Finally rooted and got shell.
Personally I don’t like “guessing” but when I got it it was SOOOOO funny to get the credentials.
And I also learned something really new.
Moreover, I love when getting the shell involves your fantasy.
Thanks @MrR3boot !

Nice box

Juice Extraction part was interesting I totally loved it.
User: no comments
Root: Pretty straightforward basic enumeration is the key.
Thanks to box maker @MrR3boot

guys i need help in user enum, i got logged in but the gears keep rolling without any changes, so i’m in /ho**.p*p what to do?
I’M REALLY STUCK AT THIS STEP

delete

Thanks for a fun box @MrR3boot! I learned quite a bit, and really enjoyed it!

@blink3r said:
Finally rooted and got shell.
Personally I don’t like “guessing” but when I got it it was SOOOOO funny to get the credentials.
And I also learned something really new.
Moreover, I love when getting the shell involves your fantasy.
Thanks @MrR3boot !

@breaker said:
Juice Extraction part was interesting I totally loved it.
User: no comments
Root: Pretty straightforward basic enumeration is the key.
Thanks to box maker @MrR3boot

@thr33per said:
Thanks for a fun box @MrR3boot! I learned quite a bit, and really enjoyed it!

That’s a joyful feedback. That makes me to do more in future :slight_smile:

hi guys should I enumerate password for login page?

I’m stuck on the login page. I think I understand what the “mango” hint is but I have no clue about how to extract to get to the next part. Any nudges are appreciated.

I got this Error
Current key is only applicable for *.codepen.io.
Read more info about this error
You are trying to use the following key: Z7U7-XHIF9V-4A5Q3S-343X5O-0P5G1R-5G2G25-6S5F2Q-0Q0F5Z-37

is this a brute force challenge?

Type your comment> @mosaaed said:

I got this Error
Current key is only applicable for *.codepen.io.
Read more info about this error
You are trying to use the following key: Z7U7-XHIF9V-4A5Q3S-343X5O-0P5G1R-5G2G25-6S5F2Q-0Q0F5Z-37

u dropped into a hole

@an0n said:
is this a brute force challenge?

i’m also still quite stuck at the early stage, but if you referring to the credentials for vhost, it is sort of a brute force, but u probably have to write your own script and define some rules (eg: length of password, possible characters) to reduce the brute force’s scope.

Hi!

Here are my hints …

User:

1º It’s important to enumerate in this box, but Dirbuster won’t lead you where you need.

2º When you are starting with one HTB machine, it’s a good practice to try the Vhost (name of the machine) + .htb. In some instances, you might get additional Vhosts which are worth checking as well.

3º If you arrive to a login page, you are on the right path.

4º The mango is a word play related to the technology to research. Mango is not a mango, but is close to it.

5º Once you figure out the technology, research how you could exploit it. There are different articles on the Internet. One of those articles will give you an idea about how to proceed further.

6º My advice would be to play first with burp and the repeater, in order to get a slight idea about how to design your attack. Then, create your own script. This was the best part for me.

Root: Basic enumeration. It’s way easier than user, and I am sure you have solved other machines this way.

Thank you @MrR3boot