Skip to main content
Marco Campione

Write Up GreenHorn HTB

·4 mins·
WriteUp HTB Machine Linux Easy
Table of Contents

HTB Machine Writeup: GreenHorn
#

GreenHorn_card

Machine Information
#

  • Name: GreenHorn
  • IP Address: 10.10.11.25
  • Difficulty: #Easy
  • OS: #Linux
  • Points: 20
  • Release Date: 20 Jul 2024

Enumeration
#

Nmap Scan
# 

sudo nmap -sC -sS -sV -p- --min-rate=5000 -vvv -oN GreenHorn.nmap 10.10.11.25
  • -sC - default scripts to catch low hanging fruit and extra enumeration.
  • --min-rate=5000 - speeds things up and HTB boxes can handle it.
  • -p- - scan the entire port range in case the creator is being sneaky.
  • -oN - save the output because you should never have to run a scan twice.

Scan Result

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOp+cK9ugCW282Gw6Rqe+Yz+5fOGcZzYi8cmlGmFdFAjI1347tnkKumDGK1qJnJ1hj68bmzOONz/x1CMeZjnKMw=
|   256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZQbCc8u6r2CVboxEesTZTMmZnMuEidK9zNjkD2RGEv
80/tcp   open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://greenhorn.htb/
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open  ppp?    syn-ack ttl 63
| fingerprint-strings:
|   GenericLines, Help, RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=35d3d2f4c85107da; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=pni4vO1T6NN-oTd82DmDTJ5JpNk6MTcyMTU1NDYwNDc2MzM4MTg0Nw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 21 Jul 2024 09:36:44 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-auto">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>GreenHorn</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX
|   HTTPOptions:
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: HEAD
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=5c06fbb2800cc772; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=WH1a8TnGamLeHFaO124ckU-AJNY6MTcyMTU1NDYxMDA5NjI0OTYzMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 21 Jul 2024 09:36:50 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94SVN%I=7%D=7/21%Time=669CD6AD%P=aarch64-unknown-linux
SF:-gnu%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(GetRequest,2A60,"HTTP/1\.0\x20200\x20OK\r\nCache
SF:-Control:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform
SF:\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_li
SF:ke_gitea=35d3d2f4c85107da;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nS
SF:et-Cookie:\x20_csrf=pni4vO1T6NN-oTd82DmDTJ5JpNk6MTcyMTU1NDYwNDc2MzM4MTg
SF:0Nw;\x20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Fra
SF:me-Options:\x20SAMEORIGIN\r\nDate:\x20Sun,\x2021\x20Jul\x202024\x2009:3
SF:6:44\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class
SF:=\"theme-auto\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"wid
SF:th=device-width,\x20initial-scale=1\">\n\t<title>GreenHorn</title>\n\t<
SF:link\x20rel=\"manifest\"\x20href=\"data:application/json;base64,eyJuYW1
SF:lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Im
SF:h0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9nc
SF:mVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9w
SF:bmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjM
SF:wMDAvYX")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type
SF::\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x2
SF:0Bad\x20Request")%r(HTTPOptions,1B1,"HTTP/1\.0\x20405\x20Method\x20Not\
SF:x20Allowed\r\nAllow:\x20HEAD\r\nAllow:\x20HEAD\r\nAllow:\x20HEAD\r\nAll
SF:ow:\x20GET\r\nCache-Control:\x20max-age=0,\x20private,\x20must-revalida
SF:te,\x20no-transform\r\nSet-Cookie:\x20i_like_gitea=5c06fbb2800cc772;\x2
SF:0Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Cookie:\x20_csrf=WH1a8TnGa
SF:mLeHFaO124ckU-AJNY6MTcyMTU1NDYxMDA5NjI0OTYzMA;\x20Path=/;\x20Max-Age=86
SF:400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Options:\x20SAMEORIGIN\r\n
SF:Date:\x20Sun,\x2021\x20Jul\x202024\x2009:36:50\x20GMT\r\nContent-Length
SF::\x200\r\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r
SF:\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close
SF:\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Looks like only SSH and HTTP ports are open in this box so the foothold is going to be through a web vulnerability. The HTTP server redirects to http://greenhorn.htb/ so I added an entry for it in /etc/hosts and rerun the default nmap scripts for HTTP before moving on to the web enumeration phase.

sudo sh -c 'echo "10.10.11.25 greenhorn.htb" >> /etc/hosts'

sudo nmap -sC -p 80 greenhorn.htb -oN greenhorn-http.nmap

So far no more information has been found.

Subdomain Enumeration
#

To enumerate the subdomain I used this query

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://greenhorn.htb/ -H 'HOST: FUZZ.greenhorn.htb' -fw 18

So far I got no results. I decided to explore the endpoint at http://greenhorn.htb:3000

User Flag
#

The endpoint that I’ve found is pointing to a gitea repository with a lot of interesting files.

While I was exploring the files I found a file pass.php file in the /data/settings/ path

I immediately tried to crack the hash that I found. Usually, I first test if I can decrypt the hash using this website. I was lucky this time and I got the hash decrypted.

So I used the password to log on the website

The version of Plunk was 4.1.18, googling it I found that id vulnerable to RCE vulnerability link

Exploit the vulnerability
#

To exploit the vulnerability that affected the website I’ve uploaded a zipped reverse shell file on the http://greenhorn.htb/admin.php?action=installmodule endpoint.

Then I went on the http://greenhorn.htb/data/modules/<name_zip_file>/<rev_shell.php> endpoint and since everything went as expected I got a reverse shell. To have a better shell I’ve used the command:

python3 -c 'import pty; pty.spawn("/bin/bash")'

In the /home/junior directory I’ve found the user.txt flag but to read it I had to escalate the privileges to root.

Root Flag
#

The other file I found in the /home/junior directory was a pdf file. So I downloaded the file. The file contained a blurred image, to retrieve the information I used a tool called Depix I used the password I found to connect to the host through ssh, the flag was in the root folder.

Marco Campione
Author
Marco Campione
MSc. Cybersecurity Student @KTH