• ~/
  • /posts
  • /tags
2024 © sk8thing

Hack The Box - GreenHorn writeup

8 December 2024
CTF
HTB
Linux
Easy

Nmap scan

...
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOp+cK9ugCW282Gw6Rqe+Yz+5fOGcZzYi8cmlGmFdFAjI1347tnkKumDGK1qJnJ1hj68bmzOONz/x1CMeZjnKMw=
|   256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZQbCc8u6r2CVboxEesTZTMmZnMuEidK9zNjkD2RGEv
80/tcp   open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://greenhorn.htb/
3000/tcp open  http    syn-ack ttl 63 Golang net/http server
|_http-title: GreenHorn
| http-methods: 
|_  Supported Methods: HEAD GET
...

So there are 3 ports open: 22, 80 and 3000. Most likely the foothold is going to be through a web vulnerability since the only open ports are HTTP and SSH.

Port 80

Upon visiting the main page I immediately noticed powered by pluck in the footer. The link’s domain hinted it was a CMS, so I searched for version details and easily found it in the page metadata.

greenhorn_mainpage.png
greenhorn_pluck_version.png

I searched for a CVE linked to this version of pluck and quickly came across this PoC. After reviewing the script, I realized that credentials were required to exploit the vulnerability.

Port 3000

After spending some time searching for credentials on the website running on port 80, I decided it was worth checking this port as well. This led me to changepass.php, which eventually pointed to pass.php, where I discovered a hash.

change_pass.php.png
pass.php.png

Running hashid identified it as a SHA-512 hash, so I used john to crack it and successfully retrieved the password.

john.png

User flag

With the password in hand, I assumed the username was likely admin and followed the instructions from the PoC's GitHub page. I generated a PHP reverse shell, zipped it, updated poc.py with the credentials and hostname, and executed the exploit.

I successfully gained a shell as www-data and discovered the user flag in /home/junior. I attempted to log in as junior using the same password, and it worked.

user_flag.png

Root flag

I downloaded the other PDF file from /home/junior, which contained a blurred password. I used Depix to recover the password and then claimed the root flag using it.

root_flag.png