Possibly Related Threads…

Unbutton8074 · Jul 20, 2024, 07:50 PM

lets go

PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
| ssh-hostkey:
| 256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOp+cK9ugCW282Gw6Rqe+Yz+5fOGcZzYi8cmlGmFdFAjI1347tnkKumDGK1qJnJ1hj68bmzOONz/x1CMeZjnKMw=
| 256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZQbCc8u6r2CVboxEesTZTMmZnMuEidK9zNjkD2RGEv
80/tcp open http syn-ack
|_http-title: Did not follow redirect to http://greenhorn.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS

ThreeCleaves · (This post was last modified: Jul 20, 2024, 07:59 PM by ThreeCleaves.)

Ive got a lowpriv shell. haven't figured out how to move to junior yet.

/usr/local/bin/gitea world writeable.

0xScriptkiddie · (This post was last modified: Jul 20, 2024, 08:26 PM by 0xScriptkiddie.)

how did you got the shell i tried file upload but no success

KillerWhale · Jul 20, 2024, 08:27 PM

(Jul 20, 2024, 08:25 PM)0xScriptkiddie Wrote: how did you got the shell

find password in http://greenhorn.htb:3000/GreenAdmin/Gre...s/pass.php

ThreeCleaves · (This post was last modified: Jul 20, 2024, 08:38 PM by ThreeCleaves.)

(Jul 20, 2024, 08:25 PM)0xScriptkiddie Wrote: how did you got the shell i tried file upload but no success

Find password hash in gitea. Crack it. Use pluck 4.7.18 exploit to obtain reverse shell.

https://www.exploit-db.com/exploits/51592

pivoted to junior. You have what you need from an earlier step during the foothold.

hax0r · Jul 20, 2024, 09:08 PM

is the pdf a rabbit hole? cant find a way to unblur the password

ThreeCleaves · (This post was last modified: Jul 20, 2024, 09:13 PM by ThreeCleaves.)

(Jul 20, 2024, 09:08 PM)hax0r Wrote: is the pdf a rabbit hole? cant find a way to unblur the password

I'm not sure. junior doesnt have sudo access, and there are no other accounts on the machine that might represent Mr. Green.

The blurred password picture is a bmp file i think. I extracted it with `pdf2txt.py`

Also /usr/sbin/openvas doesnt exist on the system.

osamy7593 · Jul 20, 2024, 09:21 PM

guys use this to unblur the passwd after that su root .. to get root.txt

https://github.com/spipm/Depix/tree/main

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

hax0r · Jul 20, 2024, 09:31 PM

(Jul 20, 2024, 09:21 PM)osamy7593 Wrote: guys use this to unblur the passwd after that su root .. to get root.txt

https://github.com/spipm/Depix/tree/main

yea that was funny lol

not something i usually see in a real pentest xd

Cyber342516 · Jul 20, 2024, 09:50 PM

(Jul 20, 2024, 09:21 PM)osamy7593 Wrote: guys use this to unblur the passwd after that su root .. to get root.txt

https://github.com/spipm/Depix/tree/main

I don’t understand how use this repository to discover the password

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] CPTS 12 FLAGS	pulsebreaker	71	2,153	5 minutes ago Last Post: codexUltron
	[FREE] HackTheBox Academy - CAPE Path Study	Techtom	43	4,204	23 minutes ago Last Post: codexUltron
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	24	2,737	26 minutes ago Last Post: codexUltron
	[FREE] HackTheBox Dante - complete writeup written by Tamarisk	Tamarisk	603	92,361	7 hours ago Last Post: 0xnany
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	374	93,325	7 hours ago Last Post: 0xnany