GreenHorn HTB Walkthrough

 Welcome to another Hack The Box walkthrough. In this walkthrough, I have documented how I pwned the GreenHorn machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs. You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel and follow me on LinkedIn for more updates.

About the Machine

The Hack The Box (HTB) machine "Greenhorn" is an easy-difficulty CTF challenge designed for beginners to practice their cybersecurity skills, involving finding two hidden flags (user and root) on the target system. GreenHorn is an easy level machine that takes advantage of an exploit in Pluck to achieve Remote Code Execution and then demonstrates the dangers of pixelated credentials. The machine also showcases that we must be careful when sharing open-source configurations to ensure that we do not reveal files containing passwords or other information that should be kept confidential.

The first step in solving this machine is to sign in to your Hack the Box account on your Kali Linux virtual machine. I logged into my Hack the Box account inside the Firefox browser on my Kali Linux, then I downloaded the .ovpn file and renamed it to greenhorn.ovpn. Then I created a directory on my desktop called GreenHornHTB and moved the greenhorn.ovpn file into it.

Next, I opened my terminal in the folder and ran the following command to establish a connection between my Linux terminal and Hack the Box server. Once the connection was successful, I opened my Kali Linux terminal and ran the following commands to connect my terminal with Hack the Box:

sudo openvpn greenhorn.ovpn

After successfully connecting my Kali Linux machine to HTB server, I navigated to the “Machine” tab and clicked on Greenhorn. My target machine was assigned an IP address of 10.10.11.25.

The next step was performing enumeration using nmap to find all open ports on the target machine, therefore I used the following command to scan for open ports:

nmap -sV -Pn -T5 -vvvv greenhorn.htb

I found three open ports: 22/tcp, 80/tcp and 3000/tcp

The next step was adding greenhorn.htb to the /etc/hosts folder by running the following command:

sudo nano /etc/hosts

To exit the GNU interface, simply hold “Ctrl + X” and press “Y” and “Enter” on the keyboard to save and exit from the GNU editor. Next, I navigated to my Firefox browser and visited 10.10.11.25 or greenhorn.htb and the following output was gotten from my visit.

Unfortunately, I couldn’t find anything that could be useful in pwn-ing this machine on this website. So, I performed subdomain enumeration using gobuster to find hidden webpages by running the following command:

gobuster dir -u http://greenhorn.htb:3000/ -w /usr/share/wordlists/dirb/common.txt -t 50 | tee gobuster.txt

I found the following URL links:

/explore/repos /assers/img/favicon.png /user/login

I edited the URL link on my browser and attach a port number as a suffix to the greenhorn.htb to become greenhorn.htb:3000 and sends it to the browser.

I was redirected to a new webpage and I clicked on the “Explore” tab to navigate into the directory of the webpage. Here, I found the website's repositories. I will click on GreenAdmin/GreenHorn to list all the files and directories on the website.

I navigated into the following directory in this order: “data” > “settings” > “pass.php”

I found a hash value, copied this and try to crack it. To crack the hash, I visited https://crackstation.net/ and pasted the value of the hash and clicked on the “Crack Hashes” button to start the process. I got the result of the hash to be iloveyou1

Afterward, I navigated back to the root directory of the GreenAdmin/GreenHorn webpage, and there I found a login.php page. I tested this by editing the url of the greenhorn.htb website by adding /login.php extension and found out that there’s a login page. I passed the value of the cracked hash (iloveyou1), and I could successfully log in to the website.

Looking at the bottom left corner of the page, I found the website was running on pluck 4.7.18. I searched exploitDB for vulnerabilities associated with this version, and I found out that there is a remote code execution exploit that allows potential attackers to upload malicious file in zip format on the website.

Once I am signed in, I visited pentest monkey github page to download a PHP reverse shell file and edit the IP address and port number of the reverse-shell.php file to my desired value.

I edited the value of the IP address of reverse shell to my machine IP address and pick a random four-digit port number (I prefer to use 4444). To get the IP address of my machine, I ran the ifconfig command and here is what I got:

So, I edited my reverse-shell.php configuration to:

After editing the reverse shell, I zipped the file by using the following command:

zip reverse-shell.zip reverse-shell.php

This created a reverse-shell.zip file, which I will try to upload to the website.

Before that, I set up a netcat listener on my terminal to get a reverse shell.

Next, I navigated to the option section on the website and clicked on “manage modules” and clicked on “install a module”. This displayed a webpage where I can upload a file. So, I uploaded the reverse-shell.zip file I have on my machine and got a reverse shell response.

I got the reverse shell response at port 4444, to stabilize the shell, I ran the following command:

python3 -c 'import pty;pty.spawn(“/bin/bash”)'

After stabilizing the shell, I changed the directory to home and list all the files/folders in it. Next, I tried to change the current user to junior by running the super user command:

su junior and I was prompted to type a password, I used iloveyou1 and I got the shell as junior@greenhorn:/home$

I changed the directory to the root folder to get the user.txt file and I run the following command to read the file:

cat user.txt

I got the user flag. Next, I tried to find the root flag!!!

To solve the root flag. I created a new file called openvas.pdf from ‘Using OpenVAS.pdf’ by running the following command:

After the file has been successfully created, I established an http server on port 3333 to copy the file from the shell to my machine by running the following command:

mv 'Using OpenVAS.pdf' openvas.pdf

python3 -m http.server 3333

I opened a new terminal and ran the following command to get the connection for junior@greenhorn:~$

wget greenhorn.htb:3333/openvas.pdf

This copied the openvas.pdf file to the directory I opened my terminal at.

Next, I opened the pdf file to view the content. In the pdf, a section to the file was blurred and this contains a secret text which is the password to get the root flag. To view the content of the blurred part, I uploaded the file to https://tools.pdf24.org/en/extract-images, a website for extracting embedded images in pdf files.

I uploaded the PDF file and click on the extract file button and a new zip folder containing the blurred image will be downloaded on my machine. To read the content of the blurry image, I cloned a git hub repository called Depix.

To unzip this file, I ran the following command:

unzip openvas.zip

I opened the image and as you can see, the images is blurred, so we need to make it clear by using the Depix tool available on GitHub. To clone the repository, I ran the following command in the my Kali Linux terminal:

git clone https://github.com/spipm/Depix

After cloning the repository, I changed the current directory to Depix and ran the following python command to generate a new clear image:

python3 depix.py \ -p /home/boltech/Downloads/0.png \ -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png \ -o /home/boltech/Downloads/output.png

This generated a new image titled “output.png” in my Downloads directory, and then I opened this image and found the secret message hidden in it. The content of the message is:

sidefromsidetheothersidesidefromsidetheotherside

This is the root user's password. So, let’s test it to see if we will get the root shell!

I performed the reverse shell operation one more time by listening to port 4444 while I upload the reverse-shell.zip file on the greenhost.htb website.

I uploaded the reverse-shell.zip while listening to port 4444 and this will get the reverse shell. To stabilize the shell, I will use the python3 -c ‘import pty;pty.spwan(“/bin/bash”)’ command.

Once the reverse shell is stable, I will try to change the user to root by running the following command:

su root

Finally I got the root flag!!!

If you enjoy reading my writeup and would want to get notification as soon as I make a new writeup, do not forget to subscribe to my YouTube channel and follow me on my other social media accounts. Thank you.

Subscribe to my YouTube channel: https://www.youtube.com/@BoltechTechnologies1

Download my writeup here: https://drive.google.com/file/d/19hWEBgIpfsx-reOiMSZQpw3bOANGX-uZ/view?usp=sharing

Follow me on LinkedIn: https://www.linkedin.com/in/isiaq-ibrahim-468588156/

Follow me on Twitter: https://x.com/BoltechNG

Follow me on Medium: https://medium.com/@ibrahimbolaji50.ib 

This walkthrough was first published on Medium in July 27, 2024, but was pulled down by Hack The Box and Medium. The reason was: I uploaded a spoiler which is in violation of the terms and agreement of Hack the Box. The walkthrough had 208 views and 174 reads on Medium and 6,299 views on YouTube.