From nmap, there are ssh, http, and https services opened.

Local Picture

This is the http web page.

Local Picture

This is the https web page.

Local Picture

This is a domain mentioned in nmap’s result.

Local Picture

From the title Mango, I got the idea of MongoDB. I tried the login page with [$ne] to confirm my thought. And the page changed because I create a true statement.

Local Picture

Local Picture

Local Picture

Local Picture

I used an open-source python script to get the username and password.

Local Picture

Local Picture

Local Picture

I successfully login to the server with ssh as mango. I can switch to admin with the other credential. From /etc/ssh/sshd_config, we can see that admin is not allowed to login from ssh.

Local Picture

Local Picture

There is an interesting SUID binary jjs.

Local Picture

From gtfobins, I found a way to write ssh public key to /root/.ssh/authorized_keys. After that, I can ssh to the server as root.

Local Picture

Local Picture