mmckinnon/chirpy-starter
1
0
Fork 0
mirror of https://github.com/cotes2020/chirpy-starter.git synced 2025-04-21 11:53:27 +10:00
Code Issues Actions Packages Projects Releases Wiki Activity
chirpy-starter/_posts/2024-01-13-greenhorn.md
racc0x 6278b1b310 update-2025
2025-02-03 22:22:27 -06:00

107 lines
3.4 KiB
Markdown
Raw Blame History

---
title: HTB - GreenHorn
date: 2024-02-02 12:17:34 -0400
categories: [hackthebox , GreenHorn]
tags: [HackTheBox, CMS pluck, RCE, User-Agent]
image:
path: /assets/img/post/greenhorn/greenhorn-card.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - GreenHorn.
---
## Box Info
| Name | GreenHorn |
| :-------------------- | ---------------: |
| Release Date | 20 Jul, 2024 |
| OS | Linux |
| Rated Difficulty | Easy |
## **Enumeration**
### Information Gathering
#### Scan with nmap:
![Image](/assets/img/post/greenhorn/image.png)
Add the dns to /etc/hosts:
```java
echo "10.10.11.25 greenhorn.htb" | sudo tee -a /etc/hosts
```
```bash
whatweb greenhorn.htb or wappalyzer from web.
```
we have in the bottom a web for `admin` with the `CMS` called '`pluck'`
![Image](/assets/img/post/greenhorn/image-1.png)
## CMS pluck 4.7.18
We found in the web admin the version for the CMS 'pluck' 4.7.18 which have a `RCE vulnerability` but we need a password for login in the pluck CMS so i look at the port 3000 because we have a http with status 200 so investigate i found a web similar to github. After searching, I found credentials I assumed use it to pluck CMS.
![Image](/assets/img/post/greenhorn/image-2.png)
## Gitea
![Image](/assets/img/post/greenhorn/image-3.png)
`iloveyou1`
![Image](/assets/img/post/greenhorn/image-4.png)
## Explotation
I login into pluck CMS and we are inside as administrator in the web and see the version of the pluck cms
![Image](/assets/img/post/greenhorn/image-5.png)
I found a [RCE](https://www.exploit-db.com/exploits/51592) for that version CMS pluck and we go use it
![Image](/assets/img/post/greenhorn/image-6.png)
looked the "upload_url" that tell me the web have a section in "module" of pluck CMS called "installmodule" so we go to investigate and used it
![Image](/assets/img/post/greenhorn/image-7.png)
To perform the RCE we need to make a reverse shell with pentestmonkey in php because the server is mount over apache so i use the pentestmonkey reverse shell for compressed and upload .
![Image](/assets/img/post/greenhorn/image-8.png)
## Privilege Escalation
when upload the zip we need to reload the web http://greenhorn.htb/data/modules/shell/revshell.php and listening with `nc -lvnp 9001` Once reload the web we got the reverse shell as www-data but we go to re-use the password iloveyou1 for login as junior and see the user.txt file.
![Image](/assets/img/post/greenhorn/image-9.png)
Well for scalation priveligies we download the file 'Using OpenVAS.pdf'
![Image](/assets/img/post/greenhorn/image-10.png)
Well, after hours of searching, i need download 2 tools
`pdfimages` from poppler-utils
`depix.py` from https://github.com/spipm/Depix
`pdfimages ./PDF OUTPUT`
![Image](/assets/img/post/greenhorn/image-11.png)
## Pixelized Screenshots
```zsh
python3 depix.py -p /path/of/openvas image -s /images/searchimages/debruinseq_notepad_windows10_CloseAndSpace.png -o out1.png
```
![Image](/assets/img/post/greenhorn/image-12.png)
And we got the password for root:
sidefromsidetheothersidesidefromsidetheotherside
![Image](/assets/img/post/greenhorn/image-13.png)
and login as root
![Image](/assets/img/post/greenhorn/image-14.png)
Reference in New Issue View Git Blame Copy Permalink