search

GreenHorn

hashtag
Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 10.10.11.25
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-30 21:26 EDT
Warning: 10.10.11.25 giving up on port because retransmission cap hit (10).
Nmap scan report for greenhorn.htb (10.10.11.25)
Host is up (0.062s latency).
Not shown: 48457 closed tcp ports (conn-refused), 17075 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA)
|_  256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
| http-robots.txt: 2 disallowed entries 
|_/data/ /docs/
3000/tcp open  ppp?
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=028cb0905d6d682f; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=1SLv8xFN-ge9AGaLlQ7RryF0RLw6MTcyMjM4ODY4OTAyNjMxMTUwNA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Wed, 31 Jul 2024 01:18:09 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-auto">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>GreenHorn</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=00121af976dae168; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=kzDLEtOxCdEEC4xdaA13UzC_WQk6MTcyMjM4ODY5NDM3MjkzNTEwMw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Wed, 31 Jul 2024 01:18:14 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94SVN%I=7%D=7/30%Time=66A992E5%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(GetRequest,1000,"HTTP/1\.0\x20200\x20OK\r\nCache-Contr
SF:ol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nCo
SF:ntent-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_git
SF:ea=028cb0905d6d682f;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Coo
SF:kie:\x20_csrf=1SLv8xFN-ge9AGaLlQ7RryF0RLw6MTcyMjM4ODY4OTAyNjMxMTUwNA;\x
SF:20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Opt
SF:ions:\x20SAMEORIGIN\r\nDate:\x20Wed,\x2031\x20Jul\x202024\x2001:18:09\x
SF:20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"the
SF:me-auto\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"width=dev
SF:ice-width,\x20initial-scale=1\">\n\t<title>GreenHorn</title>\n\t<link\x
SF:20rel=\"manifest\"\x20href=\"data:application/json;base64,eyJuYW1lIjoiR
SF:3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6
SF:Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmh
SF:vcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLC
SF:JzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvY
SF:X")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(HTTPOptions,1A4,"HTTP/1\.0\x20405\x20Method\x20Not\x20All
SF:owed\r\nAllow:\x20HEAD\r\nAllow:\x20HEAD\r\nAllow:\x20GET\r\nCache-Cont
SF:rol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nS
SF:et-Cookie:\x20i_like_gitea=00121af976dae168;\x20Path=/;\x20HttpOnly;\x2
SF:0SameSite=Lax\r\nSet-Cookie:\x20_csrf=kzDLEtOxCdEEC4xdaA13UzC_WQk6MTcyM
SF:jM4ODY5NDM3MjkzNTEwMw;\x20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20Sam
SF:eSite=Lax\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Wed,\x2031\x20J
SF:ul\x202024\x2001:18:14\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPR
SF:equest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 177.61 seconds

hashtag
Initial Access

hashtag
Port 3000

First, we will add the IP address to the host file.

We are brought to this page after visiting it.

When we click on register or sign in page, we are able to see the version of Gitea that is running.

However, this version of gitea does not give us much information. Next, we click on the Explore tab on the top left corner and we are greeted with this.

When we click into this repo, it brings us to this page.

After some enumerating, we can see that the in ./docs/update.php it contains location of the password file that is being stored.

After going to that location, we can see that is indeed a hash contain in the file.

We will check online if this hash is indeed a SHA512 hash and it is indeed a SHA512 hash.

LogoHash AnalyzerTunnelsUPchevron-right

Then we will try to crack the hash.

LogoSHA512 Hash Cracking | passwordrecovery.iopasswordrecovery.iochevron-right

The password turns out to be iloveyou1.

However, there is nothing really much that can be digged up from this port.

hashtag
Port 80

So with that password in mind, we will visit port 80 to see if there is anything running on it.

From what we gathered from port 3000, it seems that the application in the repo on port 3000 is running on port 80.

If we try to click on admin at the bottom of the page, we can see a login page and the version of pluck.

We can see that this version of pluck has an RCE linked to it.

LogoPluck v4.7.18 - Remote Code Execution (RCE)Exploit Databasechevron-right

However, it requires a password. It turns out the password that we got just now is the correct password. Now, it will redirect us to this page.

Since now we have the password, we will just follow the steps on this repo and see if the exploits works.

LogoGitHub - Rai2en/CVE-2023-50564_Pluck-v4.7.18_PoC: A Proof of Concept for CVE-2023-50564 vulnerability in Pluck CMS version 4.7.18GitHubchevron-right

First, we need to install requests_toolbelt.

Next, we will clone the repo to our kali machine and cd into it.

After which, we will modify poc.py. This is the modified version of poc.py

Next, we will create shell.php. This is the content:

Next, we will then zip the webshell up and name it payload.zip

Next, we will run the listener.

Finally, we will run the exploit which will return us a reverse shell as www-data.

hashtag
Lateral Movement

hashtag
Upgrading Shell

We will use the method from Upgrading Shells

hashtag
Reusing the same password

We can try to change user to junior using the password that we got just now and it turns out it works.

After which we are able to get user.txt

PreviousKeeperNextPermX

Last updated