HackTheBox - Greenhorn
Key Takeaways
The video demonstrates how to exploit vulnerabilities in Pluck CMS and gain root access on the Greenhorn HackTheBox machine, utilizing tools like dpix, burp_suite, and hashcat to recover passwords and execute code, with a focus on ai safety and security basics.
Full Transcript
what's going on YouTube this is ipag I'm doing greenhorn from hack the box which was a relatively easy machine but the root step could be tricky because it's very particular how you perform each step the user steps straightforward as just exploting plug CMS and then when you get on the box you discover a PDF that has um like a new higher instructions and there's a password that has been redacted via a pixelize effect and whenever you redact things from a document you should just use a black bar to put over top of the text whenever you use effects like pixelize twirl blur things like that there's always a good chance it can be reversed and that's where the tricky part comes in there is a tool called dpix that can unpixel this image however you have to extract the image by right clicking on it in the PDF and saving it because if you have extra white space around the pixelized thing it can throw the tool off and then you'll struggle a lot trying to get it working so with that being said let's just jump in as always we're going to start off with an end map so- SCC for default scripts SV enumerate versions - VV for double boost this gives things like the TTL OA output all formats put the end map directory and call it greenhorn and then the IP address of 1010 11125 this can take some time to run so I've already ran it looking at the results we have just three ports open the first one being SSH on Port 22 and the banner tells us it's an auntu server we also have HTTP on Port 80 it Banner tells us it's engine X also running on Ubuntu and the N map script HTTP title tells us it's redirecting us to Green horn. htb so let's go ahead and add this to a host file so do sudo VY host and then we can add 10 10 1125 greenh horn. htb and looking at the other things there's not much else there there is Port 3,000 n map doesn't tell us the protocol however looking at the scripts we see a HTTP 400 so we know this is going to be a web server and looking at the cookies it tries to set we see iite g t which is um a source code repository kind of like GitHub so you know Port 3000 has a source code repository Port 80 is redirecting us to um greenh horn. HTP so let's go take a look so we'll do HTTP 1010 11.25 and we get a welcome to greenhorn page and looking at the photo we see it's powered by pluck which is a Content management system I think we've covered it once before I click on this admin it takes us to log into PHP and wants a password to log in we see it is pluck version 4718 so let's go take a look for any type of exploit so I'm just going to Google pluck 4718 exploit and let's see there is remote shell upload code execution if we go to the actual cve page let's see does this say anything um this is does not restrict failed login so that's not related to the Shell upload um let's see local file inclusion looking at this let's see lfi affected component data modules album get image.php so let's try this um honestly when I was soling the box I didn't come across the cve so this is going to be live I haven't tried this yet so I'm going to send this over to burp suite and let's just see exactly what happens here so intercept is on oh actually looking at this I think this is um the pluck cve we did on a previous box looking at the git image um if I remember correctly this local file inclusion it hard codes to a specific directory um I forget exactly what box that was but I bet if we looked into this um it goes to settings modules albums yes this is hard coding into a directory right album P I wonder if we can go there so data settings modules um I'm going to go check this out real quick if we do data settings modules for bidden it goes to albums and that just redirects us so there's no like index.php there um album P they have a pass backup file and that's not going to exist here so I'm just going to move on to the next one let's see if we look at the remote code execution uh it wants a zip file it does have a login so this is going to be uploading a zip to what's the upload URL it looks like it's going to install a module so this is like adding a plugin to pluck in order to get code execution but we need to log in first um we can try the credentials admin bogus so let's go back here we can do Boggus uh password's incorrect I think they're trying all three of these K one no they're trying admin user bogus password okay so we need to get the actual password here um we could keep looking down pluck but I do want to go look at exactly what was on Port 3000 before I go too far down one Rabbit Hole so let's do HTTP greenhorn htb Port 3000 and we get the g t interface we could register for an account but if we just click on explore let's see what we have we do have a repository from Green admin green horn there is one commit that commit is from the user Junior so we have a user on this box and it's the first release of their source code and looking at this it looks like to be pluck so right now I just want to see if this is the files on the server or this is just like a source code repository the big difference being if they just maintain the files on the server in GitHub then all the settings are going to be also in GitHub and if that happens well there's going to be like hardcoded credentials right so I went in data went in settings now I'm looking for like config pass. PHP looks interesting and we have this dubdub variable which I'm guessing is the password since it's pass. PHP so in reality um whenever you do things like this pass. PHP probably should be in a get ignore file and should be like pass. php. example or something and just have dummy data here and that way you just never um upload this file to your server the other common way to do it is through environment file uh files so like EnV and then don't putv on um GitHub so let's see exactly what hash this is so I'm going to do eo-n wc- c for a word count 128 I want to say that maybe sha 256 um let's just test this out so if we do sha 256 sum a print one and let's see let's just copy this or we can just do a wc- c again um 65 so that's going to be 64 characters let's do a sha 512 sum and that's what it is so we have a sha 512 hash so we could try to go to hashcat and try to crack this but whenever I just get a raw hash that doesn't have any salt Tang or um bcrypt or anything like that I always just go to like crackstation and then test it out first to see if it's um already known is it crack station. net maybe yes it is so we can paste this hash in tell it I'm not a robot and then click some with motorcycles okay uh crack hash not found is that the hash I don't think it is I think I copied yeah I was going to say that didn't look like um the right number of characters let's see fire hydrant okay that should be good I'm still not a robot that's always good and we get the password of I love you one so let's try log in so we can do password I love you one and we get logged into pluck and then the cve or the upload script was installing a malicious module and it wanted a zip file so I'm just going to make a quick um module real quick I'm going to do makeer let's do shell and then we can go in Shell create shell. PHP and then just do a quick PHP oneliner of system then request we'll do CMD like this that looks fine and let's zip it up so we'll do zip shell we need to add- R for recursive so it um goes in the folder give it the file name of shell. Zip There we go and let's see we want to go to modules add module to website that doesn't look right uh options manage module install a module browse and let's go to our greenhorn directory and if this didn't work then I'd start um looking at the green hord s source code to identify like what format a module needs to be in but we just see it got installed so I bet if we went to SL data um is it modules then shell and then shell. PHP there we go we have a shell so if we do CMD equals who am I we have dubdub duub data so let's get a reverse shell real quick if you're curious how I knew um this data structure we were just looking at it in the um g t instance so if we do Green hord htb 3000 let me turn burp Suite off you can kind of see how it works you could also look at that um exploit proof of concept that I had up a minute ago but if we look here we have data see then modules and I just assumed when you install a module it unzips it to this directory right but right now what we want to do is get this command over in burp Suite so we can change it over to a post request easily that just makes it easier for us to send the reverse shell you can do it through the get request but there's more bad characters and it just makes it a bit of a pain right so we're going to put the reverse shell syntax in then we want to URL encode it and hope I can type and talk at the same time as we start up our listener send the code internal server error so I don't think we did that correctly um let's see CMD is equal to who am I no input file found um what disable let's try installing the module again maybe there's some type of um automated task that cleaned out the module or something that is odd install let's go to shell. zip upload dubdub dub data okay that does work I think I lost the uh reverse shell so let's just type type that again Dev TCP 101048 91 see b c b-i and internal server error did that really just happen again okay so we going to try this one last time if I don't get into time then we're just going to upload a PHP script that immediately gives us a reverse shell because something is not going well f z f-i i don't have a and single quote there we go so now let's do a python 3-c import PTY PTY spawn P bash and then stty raw minus Echo foreground and or twice again export term is equal to X term and that enables us to clear the screen so let's see what do we have if we um well normally my first step is like dumping the database and um getting the password there but we've already got the password to pluck there is no database I think because pluck is like a filebase CMS so oh there is a database we have 3306 listening um let's see how do we get to that password my SQL let's do- P I love you one access denied for that user let's see it w be under settings right data settings- R my SQL let's see 3306 username but if I do let's just do dubdub okay that gets that so I don't think that database is really configured with pluck um I don't know exactly what that is 3306 isn't really in pluck let's see requirements pluck does not yeah so it's saying pluck does not use MySQL so we shouldn't find the MySQL password there if we go cat Etsy pass WD GP for everything that ends in sh we have a few users we have root get and Junior um we can try the password I love you with for these users so if you do su get and then I love you one and that fails we could try Junior I love you one and that does work so we can um get access as Junior I still don't know exactly what my sequel is for um normally when I switch users I like just um getting a SSH session and like getting a better shell that way so we can do sh junr greenh horn. htb accept that but SSH configured to only allow public keys so if we wanted to SSH we could make the directory SSH and then um use a public key to log in but let's see what do we have um we have this open vast. PDF so let's get that over to a box so I'm going to start up another netcat list on ort 901 and I'm just going to call it open v.pdf because I hate adding that space there we can C it and then direct it to Dev TCP 101048 91 to send the file and then I can just open it up and we can see so we get hello Junior we have recently installed open VAs on a server to monitor identify potential vulnerabilities currently only root user represented by myself has authorization and they give this and then they say enter password and give this D pixel U this pixelated output and whenever you're trying to censor something in documents don't get fancy don't do any type of um filter like a blur a pixel image a twirl because a lot of times you can actually reverse these it may not look like you can but if we do a quick Google let's see if we can find anything quickly um D pixelize image I'm going to add GitHub to it to see if there's pre for Concepts here we go we have a script called deix and when you try to censor things it's best to just put like a solid color like a solid black box over top of the image um let's see so if we do dpix we give it the image we give it the um de Brun sequence I think that's how you pronounce it I don't know exactly but we can look at that essentially all this is going to do is it takes one of these big images um let's do this which is all the characters right and then it's going to blur it like pixelize the image and it's going to try to cut each pixelize of your image one by one and then it sees where it's most alike on this image that's blurred and then that's how it um identifies it it's kind of like those known plain text crypto attacks right um there's a lot of just data loss here so you may think we can't recover it but if we knew the image that it's started from then there's a potential the amount of data loss doesn't matter right because this block right here may only get generated for from a capital H the way these colors are set right so that's all this attack is doing it's going to um cut the text up in small bits and then see where it collides with on a pre-computed um sample so let's go ahead and try this out I'm going to um clone this so let's do a get clone on dpix we have the library now we want to get the pixelized image so I'm going to right click here I'm going to save image as and we'll go htb green horn I'm going to put it in the dpix directory I just created I'm going to call it blur. PNG now it's very important that you put PNG as the extension because dpix is going to work with pngs if you do jpeg it's actually going to create a JPEG image which is pretty cool um I didn't know it could do that I'm going to show you real quick if we just do save image as let's do htb greenhorn dpix blur. jpeg right and if we go in here we have two blurs if we md5 on both of them hopefully they're different right um I always thought like when you had this PDF and you right click and save it it was just extracting this element and it wasn't doing any conversion of its own but it looks like it's doing some type of conversion here if we do a file on it it's going to identify one's a JPEG one's a um PNG I know what you're thinking maybe it's just doing that because the extension so we can xxd head-1 I thought that would get what blur. jpeg let's just do them head-1 like this and we can do PNG and we see the headers are completely different so there is some type of processing being done when we export the image by right clicking on it however now we have um the password or the pixelized image what we want to do now is run dpix so we give dpix dopy we specify the Blurred image then we do um the search images and give it an example of what we think the character set could be and then a output so we'll do Python 3 dpix dopy blur. PNG we need do what was the first argument d p- s is going to be the search images um let's do the one they use first okay and then - o we'll do output.png and let's see cannot identify file image what file blur PNG oh maybe it is the same image uh hold on one second when I was doing some bash Fu I guess um I clobbered the file that's embarrassing save image HGB greenhorn dpix blur PNG yes replace it so now if I do file blur PNG we have to go in dpix that is a PNG image that does say PNG the jpeg was different so now let's run the python script again and that looks better okay so right here it is um creating all the blocks which is like building all the text and it's going to take a couple minutes because identifies right um it's like let's see imagine like a line gets drawn down here my cursor is going and goes okay what character produces these blocks right that's essentially how it works um there is a blog post so the DW sequence that is going to be what we talked about that's just the big image that has everything um let's see there is this let's see where is it author Dan Pedro write up Source okay this is good I was hoping there was a blog post from this author that I could find here it is so I would recommend reading this because that's going to explain kind of what we did how it kind of breaks it up um like when it's doing the pixelization we takes the smiley fa face breaks it up to quadrants and then we have this and if we knew it started from this there's a chance we can reconstruct it right um that's that sequence here is how it's doing that little search um this is not the post I was looking for actually there was one that said like this tool it's kind of hard to use in the wild because you have to be um like know the font know the size and have all that working beforehand right and then that's where Bishop Fox had created this tool un redactor which should do a better job but I had trouble um running it but if you want to learn more about depel images highly recommend going to this blog post and watching this video where um Bishop Fox will talk about it this is a good way to do it it just doesn't work for this challenge I don't know why it doesn't work for this challenge I'm sure if we tweaked it and like got the font and everything correctly um we could get it working I would show it but also um the unredacted proof of concept requires a GPU which doesn't play well with my VM so it's a pain to show in the video anyways but I did want to talk about this so if you're trying to dep pixelize an image and you're having trouble getting dpix to work this is something I would check out right but we have this now finished so if I do open output.png we see an image and it says side from side the other side side from side the other side so that is the password they're do using with pseudo so I'm going to try that real quick so we can do s- side from side the other side side from side the other side and there we go we log in and I didn't put any spaces there so it's just side um what was it side from side the other side without any spaces and that gets us um rout so that's going to be the box but before we end the video I have one last question what was my SQL used for because we saw it as dubdub dub data listening and then we tried to look for the password and pluck and couldn't find it and as root we can generally just access my SQL so we can just do type my SQL and we get logged in so we can do show databases and oh get T I forgot there were two web servers on this box right uh one was get t one was pluck so g t is what's using my SQL I bet if we do like select star from is it user there we go we could get the password hash here um if we do let's see describe user I think it's right there yeah um let's see what is it probably name pass WD and hash algorithm probably so we can do select name p WD from user if I don't have the algorithm we just get the hash right if we want add the hash algo there we go this is looking like it is so I'm guessing if we went to hashcat we'd crack something like um this right that's normally what they look like but we don't really care about that what I care about could I have accessed this from dubdub duub data right so let's find out exactly where G is storing the config if we go Etsy engine X let's do sites enabled uh looks like it's not here it's not part of engine X let's see I'm going to GP for 3,000 in this Etsy and let's see we see it in oh there's a get t so if we go in Etsy get T we can cat app. and let's see is this where my SQL password is app name my SQL yes it is so we have root and there's the root password for G T um so the question is what is the permission of this file and only the git user can read right to it and I don't think dubdub duub data was actually a member of G so if we do exit twice we're back here if we do group it's probably groups to list our groups data um Etsy get T permission Deni so we can't go in and read um app and I to get the password so that's going to wrap the video hope you guys enjoyed it take care and I will see you all next time
Original Description
00:00 - Introduction
02:14 - Discovering Pluck CMS, getting the version then looking for exploits
05:44 - Finding Pluck's password in Gitea (iloveyou1)
08:33 - Logging into pluck and uploading a php shell as a module
13:00 - Shell returned on the box
15:00 - Trying iloveyou1 as the password for junior and discovering a PDF
16:30 - Talking about why pixelation is a bad way to censor/redact things and finding Depix on GitHub
20:30 - Running Depix
25:20 - Trying the password as the root and getting in
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: AI Security
View skill →Related Reads
Chapters (9)
Introduction
2:14
Discovering Pluck CMS, getting the version then looking for exploits
5:44
Finding Pluck's password in Gitea (iloveyou1)
8:33
Logging into pluck and uploading a php shell as a module
13:00
Shell returned on the box
15:00
Trying iloveyou1 as the password for junior and discovering a PDF
16:30
Talking about why pixelation is a bad way to censor/redact things and finding
20:30
Running Depix
25:20
Trying the password as the root and getting in
🎓
Tutor Explanation
DeepCamp AI