Skip to content
Home » Hack The Box: Greenhorn Machine Walkthrough – Easy Difficulty

Hack The Box: Greenhorn Machine Walkthrough – Easy Difficulty

Reading Time: 6 minutes

Introduction to Greenhorn:

In this write-up, we will explore the “Greenhorn” machine from Hack The Box, categorized as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Usage” machine from Hack The Box by achieving the following objectives:

User Flag:

Vulnerabilities in the Web Environment:

  • Pluck CMS:
    • Exploitable flaws leading to potential remote code execution (RCE) and information leakage.
  • Gitea:
    • Weaknesses in repository access, resulting in exposed sensitive information.

Root Flag:

Obtaining Root Password Using Depix and Pdfimages:

  • Extract Images from PDF:
    • Utilize the pdfimages tool to extract all images embedded within the PDF document.
  • Decode the Image:
    • Use depix.py to process the image and extract any hidden password or CAPTCHA.
  • Retrieve Root Password:
    • Analyze the decoded information from the image to obtain the root password.

Enumerating the Greenhorn Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sC -sV -oN nmap_initial.txt 10.10.11.25

Nmap Output: 

┌─[darknite@parrot]─[~/Documents/htb/greenhorn]
└──╼ $nmap -sC -sV 10.10.11.25 -oA initial 
# Nmap 7.94SVN scan initiated Fri Jul 26 00:30:49 2024 as: nmap -sC -sV -oA initial 10.10.11.25
Nmap scan report for 10.10.11.25
Host is up (0.024s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA)
|_  256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://greenhorn.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open  ppp?
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=619980d7152f40da; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=6fJdfVPk0OUjIRrPRoIBUy-6cqk6MTcyMTk2Nzc2NDE2MzAzODA0OQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Fri, 26 Jul 2024 04:22:44 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-auto">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>GreenHorn</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=0332167734d7a265; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=PW1VypXGwru-m8Flu1SrrGYvA_k6MTcyMTk2Nzc2OTMwNTM1NzE5OQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Fri, 26 Jul 2024 04:22:49 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94SVN%I=7%D=7/26%Time=66A32685%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(GetRequest,1000,"HTTP/1\.0\x20200\x20OK\r\nCache-Contr
SF:ol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nCo
SF:ntent-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_git
SF:ea=619980d7152f40da;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Coo
SF:kie:\x20_csrf=6fJdfVPk0OUjIRrPRoIBUy-6cqk6MTcyMTk2Nzc2NDE2MzAzODA0OQ;\x
SF:20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Opt
SF:ions:\x20SAMEORIGIN\r\nDate:\x20Fri,\x2026\x20Jul\x202024\x2004:22:44\x
SF:20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"the
SF:me-auto\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"width=dev
SF:ice-width,\x20initial-scale=1\">\n\t<title>GreenHorn</title>\n\t<link\x
SF:20rel=\"manifest\"\x20href=\"data:application/json;base64,eyJuYW1lIjoiR
SF:3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6
SF:Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmh
SF:vcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLC
SF:JzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvY
SF:X")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(HTTPOptions,197,"HTTP/1\.0\x20405\x20Method\x20Not\x20All
SF:owed\r\nAllow:\x20HEAD\r\nAllow:\x20GET\r\nCache-Control:\x20max-age=0,
SF:\x20private,\x20must-revalidate,\x20no-transform\r\nSet-Cookie:\x20i_li
SF:ke_gitea=0332167734d7a265;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nS
SF:et-Cookie:\x20_csrf=PW1VypXGwru-m8Flu1SrrGYvA_k6MTcyMTk2Nzc2OTMwNTM1NzE
SF:5OQ;\x20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Fra
SF:me-Options:\x20SAMEORIGIN\r\nDate:\x20Fri,\x2026\x20Jul\x202024\x2004:2
SF:2:49\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,67,"HTTP/1\
SF:.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=
SF:utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 26 00:32:31 2024 -- 1 IP address (1 host up) scanned in 102.58 seconds

Analysis:

  • Port 22 (SSH): Remote access via OpenSSH 8.9p1.
  • Port 80 (HTTP): Nginx 1.18.0 with a redirect to greenhorn.htb.
  • Port 3000 (Unknown Service): Responds with cookies and a “GreenHorn” manifest on a successful GET request.

Web Enumeration:

Web Application Exploration:

Accessing port 80 reveals a Pluck CMS page containing hints for exploring the website’s resources. Additionally, clicking the ‘Admin’ link at the bottom leads to the CMS dashboard login page

It redirects to a Gitea page, which we can explore further for potentially interesting content.

It seems to be running the Pluck application.

On Port 3000, we found a password-free Gitea repository hosting the GreenHorn project, which contains the web app’s source code. Exploring the configuration files, typically used to store credentials for various components, we discovered a password within 

http://greenhorn.htb:3000/GreenAdmin/GreenHorn/src/branch/main/data/settings/pass.php

We can use CrackStation to decrypt the password.

We can use the previously discovered password to log in on the page above.

Pluck 4.7.18 is vulnerable to RCE, allowing exploitation by uploading a module via a ZIP file containing a malicious PHP script. Once uploaded, we can navigate to a specific path to execute the script.

To begin, we create a ZIP file containing our reverse shell script:

Upload the PHP reverse shell ZIP file via the Pluck admin panel (Options > Manage Modules > Install a module). Once the listener is active, we gain a reverse shell with www-data privileges.

Unable to read the user flag as www-data, we shift our focus to the junior user.

“By reusing the Pluck CMS password retrieved from Gitea and executing su junior, we switch to the junior user and gain access to the user flag.”

“We can view the user flag by running the command cat user.txt.”

Escalate to Root Privileges Access on Greenhorn machine

Privilege Escalation:

In the junior directories, there is a PDF file that we can examine.

Therefore, let’s transfer the PDF file to our local machine.

The PDF file contains a hidden password.

We need to install the dependencies for the Depix tool.

Let’s download the script to our local machine.

What is pdfimages?

pdfimages is a command-line utility from the Poppler-utils package that is used to extract images directly from PDF documents. Unlike converting a PDF to an image format, pdfimages extracts the images in their original format (e.g., JPEG, PNG, etc.) without any alteration or rendering. This is especially useful for forensic analysis or when you need to recover and analyze images embedded in a PDF.

Key Features:

  • Extracts images embedded within PDFs without modifying their format.
  • Supports multiple image formats like JPEG, PNG, and others.
  • Handy for extracting images for further analysis or forensic examination.

Example Usage:

pdfimages -j sample.pdf image_prefix

This will extract all images from sample.pdf and save them as image_prefix-000.jpg, image_prefix-001.jpg, etc., depending on the images within the document.

The screenshot displays the command being used by the tool.

We successfully converted the PDF into an image file.

The command for depix.py is shown in the screenshot above.

Let’s run the command to convert the file and reveal the password.

Success! We have successfully identified the password.

We can view the root flag by running the command cat root.txt.