Greenhorn Hackthebox Walkthrough

Greenhorn Hackthebox Walkthrough

- Steps for enumeration

1. Using Nmap to scan for any hidden/open ports within the target machine

2. I discovered there was an admin panel on the machine that you can click on the bottom half of the screen

4. After visiting the admin panel, I noticed a service called “Pluck v4.7.18” was powering the functionality of the admin portal

5. Once the admin portal was displayed, I noticed it requires authentication via password

6. By doing a little bit of recon, I have found a(n) RCE file upload script, that allows a user to connect remotely to the server using a payload named “payload.zip”

7. I then noticed there was an open port on the machine which was port 3000.

8. I visited the machine on port 3000, and continued snooping around until I found this path leading to a hashed password. GreenAdmin/GreenHorn -> Data -> Settings -> Pass.php )

9. I then proceeded to use a hash decoder such has crackstation, which is an online tool that allows users to decode most hashes.

10. once i decoded the hash, we’ve successfully found the password to user!

11. Using the decoded hash, I proceed to login via the admin portal with the password. And Boom I’m in!

12. Once I’ve successfully logged into the admin portal, I see an option that allows me to manage the modules on the machine. I notice I can upload a file remotely.

13. Using the pluck RCE I found earlier on Exploit DB, i notice inside the RCE file, there is a read file function that says “payload.zip”

14. I began to visit pentestmonkey.net for a reverse php shell.

15. after editing the reverse shell file to my needs, I zipped the .php file into “payload.zip”

16. By uploading the .zip file to the “install a module” section on the website I was successful enough to upload my shell and use ncat and the RCE to maintain a user shell.


PRIVILEGE ESCALATION

———————————-

1. Once I’ve maintained access to user shell. I go to the user directory where I found a user with the name “junior”

2. Doing some privEsc, ive typed “su junior” to gain some privileges. Then I found user!!!

3. I’ve also found an interesting file named “Using OpenVAS.pdf”

4. Once I opened the pdf file, I noticed that there was what seems to look like the password for root. But sadly was pixelated

5. while searching on google for a fix, I came across a tool from GitHub called “Depix” (https://github.com/spipm/Depix)

6. Using the pdfimages tool, I was able to convert the pdf into a .png 

pdfimages -all Using\ OpenVAS.pdf 'img'

7. Using the command
python3 depix.py -p ../extracted_image.png -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png -o ./depixed.png

8. I was able to depixalize the pdf file

9. Using SSH and logging in with the password I have finally gained access to root.!!!


Leave a comment

Please note, comments must be approved before they are published

This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.