GreenHorn
Recon
nmap_scan.log
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.25:22
Open 10.10.11.25:80
Open 10.10.11.25:3000
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.10.11.25
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-27 10:48 UTC
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:48
Completed NSE at 10:48, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:48
Completed NSE at 10:48, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:48
Completed NSE at 10:48, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 10:48
Completed Parallel DNS resolution of 1 host. at 10:48, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 10:48
Scanning 10.10.11.25 [3 ports]
Discovered open port 22/tcp on 10.10.11.25
Discovered open port 80/tcp on 10.10.11.25
Discovered open port 3000/tcp on 10.10.11.25
Completed Connect Scan at 10:48, 0.08s elapsed (3 total ports)
Initiating Service scan at 10:48
Scanning 3 services on 10.10.11.25
Completed Service scan at 10:49, 89.61s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.11.25.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:49
Completed NSE at 10:49, 2.52s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:49
Completed NSE at 10:49, 1.11s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:49
Completed NSE at 10:49, 0.00s elapsed
Nmap scan report for 10.10.11.25
Host is up, received user-set (0.080s latency).
Scanned at 2024-07-27 10:48:08 UTC for 93s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 57d6928a7244841729eb5cc9636afefd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOp+cK9ugCW282Gw6Rqe+Yz+5fOGcZzYi8cmlGmFdFAjI1347tnkKumDGK1qJnJ1hj68bmzOONz/x1CMeZjnKMw=
| 256 40ea17b1b6c53f4256674a3cee75232f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZQbCc8u6r2CVboxEesTZTMmZnMuEidK9zNjkD2RGEv
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://greenhorn.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open ppp? syn-ack
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=990489ab98123f7b; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=fwFi5uwa3lU9ZQXtWqC1OnPyCmQ6MTcyMjA3NzI5NTIxNDAyMzcxNg; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Sat, 27 Jul 2024 10:48:15 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-auto">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>GreenHorn</title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: HEAD
| Allow: HEAD
| Allow: GET
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Set-Cookie: i_like_gitea=87a3c177f411b5cf; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=_NxYdqAX8yPx9AhcIdBo6_J5BCE6MTcyMjA3NzMwMDczOTY4OTg4Mw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Sat, 27 Jul 2024 10:48:20 GMT
|_ Content-Length: 0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:49
Completed NSE at 10:49, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:49
Completed NSE at 10:49, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:49
Completed NSE at 10:49, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.42 secondsNote: Port 3000 didn't show up on first scan with RustScan! Double check the open ports!!
└─$ grep green /etc/hosts
10.10.11.25 greenhorn.htbHTTP (80) [Enumeration]
Access to /data/modules is denied and to get into CMS we need admin password...
LFI is blocked because of ../ and nothing interesting without password.
Enumerate files/directories:
DNS enumeration also returned nothing.
Gitea (3000)
There's a Gitea instance running
On register page we can Register with OpenID and by the looks of it it's able to make requests:
Gitea creds: test02@test02.test02:test02:test02test02
The webapp on port 80 is open sourced:
Admin password: iloveyou1
HTTP (80) [Exploitation]
Now that we are able to login we are able to upload stuff on server
Options > Manage modules > Install modules
Note: Zip name is module name in /data/modules and filename is just filename.
Access the webshell:
ugh.... as always HTB does cronjob and deletes anything uploaded within a minute.
Just upload straight up reverse shell and get connection:
Reverse Shell
I wanted some database connection string to leak password, but Pluck CMS doesn't use it:
Service does seem to be online
Enumerate system with linpeas
We are unable to read the file and only root or git group can read them.
Anyway, not really interesting so far without junior user
SSH
Privilege Escalation (junior)
Using the password we found in Pluck CMS we can login as junior!
SSH doesn't allow login via password.
User.txt
Privilege Escalation (root)
pdf files seem to be the same...
The password is pixelated image and no PDF manipulation can uncover it, we can extract it and try to reverse the process.
This New Tool Can Retrieve Pixelated Text from Redacted Documents
Dan Petro, a lead researcher at offensive security firm Bishop Fox, has demonstrated a new open-source tool called Unredacter to reconstruct text from the pixelated images, effectively leaking the very information that was meant to be protected.The tool is also seen as an improvement over an existing utility named Depix, which works by looking up what permutations of pixels could have resulted in certain pixelated blocks to recover the text.
The blog above introduces new tool called unredacter, Official post: Never, Ever, Ever Use Pixelation for Redacting Text
I was not able to get any valid results with the project, so I resorted to Depix tool.
The most of the text is somewhat readable now!
Root password: sidefromsidetheothersidesidefromsidetheotherside
Root.txt
Root Scripts
Last updated