-
I start with a scan of the open ports,
nmap -p- --open -vvv -sS --min-rate 5000 -Pn 10.10.11.25 -oG scan
-
I continue with a scan of the versions and technologies that are running on the open ports that we have found
nmap -p22,80.3000 -sCV 10.10.11.25 -oN ports
- I found the domain
greenhorn.htb and add it to the file in the /etc/hosts file
-
I look at what technologies they are using on the website.
whatweb http://greenhorn.htb/
- I find a panel to log in and little else. I look at the other site that uses port 3000 and I see that it is running a
Gitea
-
Looking at the GreenHorn repository files I find a hash apparently in sha512, when I run it through crackStation it tells me that the plaintext password of this hash is iloveyou1
-
Thanks to this password and searching for the Pluck version I find a vulnerability that allows to make a RCE. Pluck v4.7.18 - Remote Code Execution (RCE)
-
I use this exploit to create a revershell and manage to log in as www-data
-
I see that you exist as a junior user. I find in the junior directory a pdf that I can read, bring it to my place and open it.
-
I find a fuzzy password. After searching for various tools that can reverse this I found Deprix
-
To this tool we pass an image of the blur we want to reverse, using pdfimages, and a sample of the ones it has. After several different combinations I manage to get an image in which we can get to know the password. We try with “sidefromsidetheothersidesidefromsidetheotherside” and now we are root and we can read the second flag.
apt-get install poppler-utils
pdfimages Usin.pdf output.png
python3 depix.py -p /home/rufo/Downloads/output.png-000.ppm -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png
