Hacking Insights by Max Bautista

GreenHorn writeup

Box name: GreenHorn

Difficulty: Easy

OS: Linux

Overview: GreenHorn is an easy difficulty machine that takes advantage of an exploit in Pluck to achieve Remote Code Execution and then demonstrates the dangers of pixelated credentials. The machine also showcases that we must be careful when sharing open-source configurations to ensure that we do not reveal files containing passwords or other information that should be kept confidential.

Link: https://app.hackthebox.com/machines/GreenHorn?sort_by=created_at&sort_type=desc

Machine IP: 10.129.2.123

Ran rustscan against the machine.

rustscan -a 10.129.2.123 –ulimit 5000 -b 2000 — -A -Pn

Checked out port 80. Added greenhorn.htb to /etc/hosts. 

It looks like this is ran on pluck. Ran vhost and feroxbuster.

feroxbuster -u http://greenhorn.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,html,txt,bak,zip,json,xml,py,sh,config –force-recursion -t 50 -d 4 –filter-status 404,400

ffuf -u http://greenhorn.htb -H “Host: FUZZ.greenhorn.htb” -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -c -fc 302

Feroxbuster found a few things. /login.php looks most interesting.

We got a version pluck 4.7.18. This is vulnerable to EDB-ID 51592 for RCE https://www.exploit-db.com/exploits/51592. I have no creds yet and there doesn’t appear to be anything else here. Checked out port :3000 and it’s a Gitea service version 1.21.11

I haven’t seen this before, so I clicked around and in Explore it shows its connected to the other site.

Clicked around the repository.

I ended up finding a hash after poking around.

Looks like it’s SHA-512. Tried cracking with hashcat.

hashcat -m 1700 hash.txt /usr/share/wordlists/rockyou.txt 

Iloveyou1

Now that we have a password I found a prewritten code https://github.com/Rai2en/CVE-2023-50564_Pluck-v4.7.18_PoC/blob/main/poc.py.

Read and downloaded the script. Create a shell.php, zipped it and ran it and we get a shell as www-data.

Read /etc/passwd and there is a user junior.

Tried the same password we already have and it actually worked.

Got user.txt and there is also a .pdf file in juniors directory.

Moving it to my own device I encoded it.

cat ‘Using OpenVAS.pdf’|base64 -w 0;echo

Decoded it on my machine and put it in greenhorn.pdf.

cat decode.txt| base64 -d; echo

When reading it there is a password blurred.

Disconnected the image from the pdf.

pdfimages greenhorn.pdf imagess

Found a tool to depixelize it https://github.com/spipm/Depixelization_poc. Tried a bunch of search images and this worked.

python3 depix.py -p /home/kami/Fknhack/imagess-000.ppm -s /home/kami/Fknhack/Depix/images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png -o out.png

I didn’t know what this even meant so I just tried it as a password for root and it worked.

GG

Attack Chain

1 – Reconnaissance Ran RustScan and identified ports 22 (SSH), 80 (HTTP), and 3000 (Gitea). Added greenhorn.htb to /etc/hosts. Browsed to port 80 and found a Pluck CMS site. Ran feroxbuster and ffuf VHOST fuzzing. Feroxbuster found /login.php which revealed Pluck version 4.7.18.

rustscan -a 10.129.2.123 –ulimit 5000 -b 2000 — -A -Pn feroxbuster -u http://greenhorn.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,html,txt,bak,zip,json,xml,py,sh,config –force-recursion ffuf -u http://greenhorn.htb -H “Host: FUZZ.greenhorn.htb” -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -c -fc 302

2 – Gitea repository and hash extraction Browsed to the Gitea instance on port 3000 running version 1.21.11. Found it was connected to the main site. Explored public repositories and found a SHA-512 password hash stored in a file. Cracked it with Hashcat using rockyou.

hashcat -m 1700 hash.txt /usr/share/wordlists/rockyou.txt

Password recovered: iloveyou1

3 – Initial Access – Pluck 4.7.18 RCE – CVE-2023-50564 / EDB-51592 Authenticated to the Pluck admin panel with the recovered password. Used a public PoC for CVE-2023-50564 which created a malicious PHP shell, zipped it, and uploaded it through the Pluck module installer to achieve code execution as www-data.

4 – Lateral movement via password reuse Found a user junior in /etc/passwd. Tried the same password on the junior account and it worked. Retrieved user.txt and found a PDF file in junior’s home directory.

Credentials: junior:iloveyou1

5 – Privilege Escalation – depixelation of blurred credentials Transferred the PDF to the attack machine via base64 encoding and extracted the embedded image using pdfimages. The PDF contained a password that had been pixelated or blurred. Used the Depix tool with a Windows Notepad de Bruijn sequence search image to recover the original plaintext from the pixelated image. Tried the recovered string as the root password and it worked. Retrieved root.txt.

pdfimages greenhorn.pdf imagess python3 depix.py -p imagess-000.ppm -s debruinseq_notepad_Windows10_closeAndSpaced.png -o out.png

---

Key Takeaways

1. Password hash stored in a public Gitea repository – A SHA-512 password hash was committed to a public repository connected to the production application. Secrets of any kind must never be committed to version control. Implement pre-commit hooks and secrets scanning tools such as truffleHog or gitleaks to prevent credential commits. Audit all repositories for historical secret exposure.
   
2. Pluck 4.7.18 authenticated RCE – CVE-2023-50564 / EDB-51592 (CVSS 8.8 High) – The Pluck CMS version running was vulnerable to a file upload RCE via the module installer. CMS platforms must be kept fully patched and module upload functionality must be restricted to trusted administrators only.
   
3. Password reuse between CMS admin and OS account – The password cracked from the Gitea hash was reused for the junior OS account, turning a repository credential into direct system access. Passwords must be unique across every account and service without exception.
   
4. Pixelation is not a secure method of redacting credentials – The root password was visible in a PDF but obscured using pixelation. Pixelation applied to text with a known font and character set is reversible using publicly available tools. Sensitive information must be redacted by overwriting with a solid color or by removing the content entirely before sharing documents.
   
5. Sensitive PDF stored in a user home directory – The PDF containing a credential hint was accessible after lateral movement to the junior account. Documents containing any credential information must never be stored on general-purpose user accounts and must be handled through a controlled access document management system.
   

---

Remediation

[Immediate] Remove the password hash from the Gitea repository Remove the hash from the repository immediately, rewrite Git history to purge the commit, and rotate the affected password. Audit all other repositories for committed secrets including hashes, API keys, and configuration files. Implement secrets scanning in the CI/CD pipeline and enforce pre-commit hooks across all repositories.

[Immediate] Patch Pluck CMS to remediate CVE-2023-50564 / EDB-51592 (CVSS 8.8 High) Update Pluck to the latest patched version immediately. Restrict access to the admin login page to authorized IP ranges only. If Pluck is not actively maintained upstream, evaluate migrating to a supported CMS alternative.

[Immediate] Enforce unique passwords across all accounts Rotate all passwords where iloveyou1 was reused across the Pluck admin, junior OS account, and any other service. Enforce a policy requiring unique passwords per account and per service. Deploy a password manager for all user accounts and enforce complexity requirements across the environment.

[Immediate] Replace pixelation with proper redaction Audit all shared documents for pixelated or blurred sensitive information and replace with solid color redaction or content removal. Establish a document handling policy requiring that all credentials be removed entirely from documents before sharing and that no password or secret ever appears in a PDF, image, or presentation in any form.

[Short-term] Restrict Gitea repository visibility and audit public repositories Audit all Gitea repositories for public visibility and restrict any that contain internal application code, configuration, or anything linked to production systems. Require authentication to browse repository content and implement branch protection and access controls on all production-related repositories.

[Long-term] Implement a secrets management and developer security training program Establish a policy prohibiting hardcoded credentials and password hashes in all code repositories and documents. Integrate secrets scanning into the development workflow and conduct security awareness training covering credential hygiene, safe document sharing, and the risks of committing sensitive data to version control.