Greenhorn Hackthebox Walkthrough
- Steps for enumeration
1. Using Nmap to scan for any hidden/open ports within the target machine
2. I discovered there was an admin panel on the machine that you can click on the bottom half of the screen
4. After visiting the admin panel, I noticed a service called “Pluck v4.7.18” was powering the functionality of the admin portal
5. Once the admin portal was displayed, I noticed it requires authentication via password
6. By doing a little bit of recon, I have found a(n) RCE file upload script, that allows a user to connect remotely to the server using a payload named “payload.zip”
7. I then noticed there was an open port on the machine which was port 3000.
8. I visited the machine on port 3000, and continued snooping around until I found this path leading to a hashed password. GreenAdmin/GreenHorn -> Data -> Settings -> Pass.php )
9. I then proceeded to use a hash decoder such has crackstation, which is an online tool that allows users to decode most hashes.
10. once i decoded the hash, we’ve successfully found the password to user!
11. Using the decoded hash, I proceed to login via the admin portal with the password. And Boom I’m in!
12. Once I’ve successfully logged into the admin portal, I see an option that allows me to manage the modules on the machine. I notice I can upload a file remotely.
13. Using the pluck RCE I found earlier on Exploit DB, i notice inside the RCE file, there is a read file function that says “payload.zip”
14. I began to visit pentestmonkey.net for a reverse php shell.
15. after editing the reverse shell file to my needs, I zipped the .php file into “payload.zip”
16. By uploading the .zip file to the “install a module” section on the website I was successful enough to upload my shell and use ncat and the RCE to maintain a user shell.
PRIVILEGE ESCALATION
———————————-
1. Once I’ve maintained access to user shell. I go to the user directory where I found a user with the name “junior”
2. Doing some privEsc, ive typed “su junior” to gain some privileges. Then I found user!!!
3. I’ve also found an interesting file named “Using OpenVAS.pdf”
4. Once I opened the pdf file, I noticed that there was what seems to look like the password for root. But sadly was pixelated
5. while searching on google for a fix, I came across a tool from GitHub called “Depix” (https://github.com/spipm/Depix)
6. Using the pdfimages tool, I was able to convert the pdf into a .png
pdfimages -all Using\ OpenVAS.pdf 'img'
7. Using the command
python3 depix.py -p ../extracted_image.png -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png -o ./depixed.png
8. I was able to depixalize the pdf file
9. Using SSH and logging in with the password I have finally gained access to root.!!!
Leave a comment