Beginner’s Guide to Conquering Greenhorn on HackTheBox

Key Highlights

• Greenhorn is an easy CTF challenge on HackTheBox that is perfect for beginners to learn and practice their cybersecurity skills.
• The challenge involves finding two hidden flags on the target system.
• The first step is to perform reconnaissance and identify the services running on the target.
• After identifying vulnerabilities, the next steps involve exploiting them to gain access and escalate privileges.
• The challenge also introduces beginners to popular tools like Nmap and Gitea.
• Overcoming challenges and troubleshooting problems is an important part of the learning process.

Introduction

Welcome to the beginner’s guide on conquering Greenhorn, an easy CTF challenge on HackTheBox. This challenge is designed specifically for beginners who are eager to learn and practice their cybersecurity skills. Greenhorn provides a fun and hands-on experience for newcomers to the field, allowing them to gain practical knowledge and build confidence in their abilities.

In this guide, we will walk you through the steps to successfully conquer the Greenhorn challenge. We will explain the concepts, tools, and techniques required to complete the challenge and find the hidden flags. By following this guide, you will gain valuable experience in reconnaissance, vulnerability identification, exploitation, privilege escalation, and more. Additionally, we will explore the GreenAdmin repo, which can be accessed through the /explore/repos directory, and use it for vulnerability analysis and potential login credentials.

Whether you are a beginner looking to get started in cybersecurity or an aspiring professional wanting to enhance your skills, this guide will provide you with the foundation to tackle the Greenhorn challenge and take your cybersecurity journey to the next level.

Understanding HackTheBox and Greenhorn Challenge

Before we dive into the details of the Greenhorn challenge, it is important to understand the platform on which it is hosted – HackTheBox. HackTheBox is a popular online platform that offers a range of realistic and challenging Capture The Flag (CTF) challenges and virtual machines for cybersecurity enthusiasts to test their skills. Greenhorn is one of the many challenges available on HackTheBox, designed specifically for beginners to learn and practice their cybersecurity skills in a safe and controlled environment. To access the Greenhorn challenge, type greenhorn.htb:3000/ into your browser.

The Concept of Capture The Flag (CTF)

Capture The Flag (CTF) is a popular cybersecurity competition that simulates real-world scenarios, where participants are tasked with finding and exploiting vulnerabilities in systems to capture flags. These flags are usually strings of text or unique identifiers hidden throughout the challenge or target system. CTF challenges are designed to test and enhance participants’ skills in various areas of cybersecurity, including reconnaissance, vulnerability identification, exploitation, privilege escalation, and more. By participating in CTF challenges like Greenhorn, beginners can gain practical experience and develop a solid foundation in cybersecurity fundamentals.

Why Greenhorn is a Must-Try for Beginners

Greenhorn is an excellent challenge for beginners to start their cybersecurity journey. It provides a learning platform where beginners can understand and practice various cybersecurity techniques in a controlled environment. The challenge is designed to be approachable for those with limited experience, allowing them to gain practical skills and build confidence in their abilities.

By attempting Greenhorn, beginners will learn valuable skills such as reconnaissance, vulnerability identification, exploitation, privilege escalation, and more. The challenge provides step-by-step guidance and encourages learners to think critically and solve problems. Completing Greenhorn will give beginners a sense of accomplishment and motivate them to further explore the field of cybersecurity.

Preparing to Tackle Greenhorn

Before diving into the Greenhorn challenge, it is important to prepare yourself and set up the necessary tools and environment. You will need an SSH server to connect to the target machine, so ensure you have this set up correctly. Additionally, familiarize yourself with essential tools and resources such as Nmap for reconnaissance and enumeration, SSH for secure remote access, and other tools used in CTF challenges. Setting up your environment and having the right tools in place will ensure a smooth and efficient experience when tackling the Greenhorn challenge and gaining a foothold into the target machine.

Setting Up Your Environment

To tackle the Greenhorn challenge, you will need to set up your environment correctly. Start by downloading and installing an SSH server on your local machine. This will allow you to establish a secure remote connection to the target machine.

Once you have set up the SSH server, download the necessary files and tools required for the challenge. This includes tools like Nmap for reconnaissance and enumeration, as well as any additional tools specified in the challenge.

Make sure to follow the installation instructions for each tool and ensure they are functioning properly before starting the challenge. Having a properly configured environment will ensure a smooth and efficient experience when attempting the Greenhorn challenge.

Essential Tools and Resources

When tackling the Greenhorn challenge, it is essential to have the right tools and resources at your disposal. Here are some of the key tools and resources that will be helpful throughout the challenge:

• Nmap: A powerful network scanning tool used for reconnaissance and enumeration. It allows you to discover open ports, services running on those ports, and potential vulnerabilities.
• SSH: Secure Shell is a network protocol that allows for secure remote access to systems. It is essential for establishing a secure connection to the target machine.
• Enumeration: The process of gathering information about a target system, such as open ports, services, and potential vulnerabilities. Enumeration helps in identifying entry points and potential attack vectors.

These tools and resources will play a crucial role in your journey to conquer the Greenhorn challenge. Familiarize yourself with these tools and learn how to effectively utilize them for successful completion of the challenge.

Step-by-Step Guide to Conquering Greenhorn

Now that you have prepared your environment and familiarized yourself with the necessary tools, it’s time to dive into the step-by-step guide to conquering Greenhorn. In this section, we will walk you through the key steps involved in completing the challenge, including initial reconnaissance, identifying vulnerabilities, exploiting those vulnerabilities, and capturing the flags. By following this guide, you will gain hands-on experience in applying the concepts and techniques learned earlier. So let’s get started and conquer Greenhorn!

Step 1: Initial Reconnaissance

The first step in conquering Greenhorn is to perform initial reconnaissance on the target machine. This involves gathering information about the target’s IP address and identifying open ports and services. Nmap, a powerful network scanning tool, can be used to accomplish this. Use the following command to perform a port scan on the target IP:

nmap -sV -p- -n -Pn 10.129.212.10

This command will scan all ports (-p-) on the target machine and provide information about the services running on those ports (-sV). Make note of any open ports and the services identified. This information will be crucial in identifying potential vulnerabilities and planning your next steps.

NMap

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA)
|_  256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-title: Welcome to GreenHorn ! - GreenHorn
|_Requested resource was http://greenhorn.htb/?file=welcome-to-greenhorn
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-generator: pluck 4.7.18
| http-robots.txt: 2 disallowed entries 
|_/data/ /docs/
3000/tcp open  ppp?
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=e7f1615fa0f86e6b; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=7pyZzuo6DlZvfbEMU5LXdM16HSg6MTcyMTUyMzcxNzQzMzc3ODk1MA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 21 Jul 2024 01:01:57 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-auto">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>GreenHorn</title>
|     <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=f1b2003978b615d1; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=3Nz8kIws_LjclbrPV179mtWbM6E6MTcyMTUyMzcyNTc4ODA0MzIwMA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 21 Jul 2024 01:02:05 GMT
|_    Content-Length: 0

Port 80

Visiting port 80 opens up a Pluck CMS page. It has some hints (highlighted) that we can use to access the resources to explore the website. We can also click the admin at the bottom of the site to enter the login page for the CMS dashboard.

Port 3000

We have a password-free Gitea repository on Port 3000. The GreenHorn repo contains the source codes of the web app project. Searching for the configuration files, which always configures credentials for different components, we can find a password inside http://greenhorn.htb:3000/GreenAdmin/GreenHorn/src/branch/main/data/settings/pass.php:

ALSO READ: Beginner’s Guide To Conquering Ghost On HackTheBox

Step 2: Enumeration – Identifying Vulnerabilities

Once you have identified open ports and services during the reconnaissance phase, the next step is to perform enumeration to gather more information and identify potential vulnerabilities. Enumerating the target system will involve scanning for additional information, such as version numbers, banners, and configurations that could reveal potential weaknesses. Use tools like Nmap and manual enumeration techniques to gather this information. Look for any known vulnerabilities associated with the services and versions identified during enumeration, particularly on the tcp/80 port. This will help you in planning your exploitation strategy in the next step.

PLUCK RCE | www-data

Pluck 4.7.18 can be exploited for its RCE vulnerability. We can upload/install a module for the CMS with a ZIP file, which contains malicious PHP script. Then we can access certain path to execute the PHP script.

First we create a ZIP file which has our reverse shell PHP script inside:

Step 3: Exploitation – Gaining Access

With the information gathered during reconnaissance and enumeration, it’s time to exploit the vulnerabilities identified and gain access to the target system. Depending on the specific vulnerabilities present, you may need to utilize different techniques such as exploiting a misconfigured service or conducting a privilege escalation attack. One common technique is to use a reverse shell module to establish a connection with the target machine, allowing you to interact with its command line remotely. By gaining access through exploitation, you will have control over the target system and be able to proceed to the next steps of the challenge.

Uploading the PHP Reverse Shell ZIP file on Pluck admin panel (Options > Manage Modules > Install a module):

Using our listener, we can see that we have a reverse shell as www-data:

PASSWORD | Junior

We cannot read the user flag as www-data, so, we change our target to junior:

Reusing the password for the Pluck CMS we retrieved from Gitea and after using su junior, we become user junior and then we can see user flag:

Step 4: Privilege Escalation – Becoming Root

Once we have gained initial access to the target system, the next objective is to escalate privileges and gain root access. Privilege escalation refers to the process of obtaining higher-level privileges on a system, which allows you to perform actions restricted to the root user. Look for misconfigurations, vulnerabilities, or weak security measures that can be exploited to escalate your privileges. By becoming the root user using a tool like Depix, you will have full control over the target system and be able to access the root flag.

DEPIX | Root

Inside the home directory of junior, we discover a PDF except the user flag. We can use the base64 encoded method to transfer the file. However, we only have a very primitive shell here, so that we cannot transfer this size of files.

Since now we are in the HTB local network, we don’t have to provide a public server to upload files to the target machine. A simple transfer of the static binary of Netcat to the victim, which we can download from the Github, which will enable us to then easily pass the PDF to our local machine.

The PDF file indicates a sudo command to run OpenVAS on the machine, which we cannot find it on the target:

But they have provided a password inside the pdf, which is just a blurred image which we cannot see.

For a blurred image, we can try to reverse the process of pixelation to reveal the original text or content. Pixelation is a process where an image is divided into blocks, and each block is averaged into a single color. This makes the details within the block indistinguishable. So it is deterministic and can be reversed if the original image’s characteristics and the pixelation process are known.

Therefore, we can use a tool called Depix. It essentially uses a brute-force approach combined with intelligent matching algorithms to reverse the pixelation. It relies on having a good set of pre-rendered characters and a consistent pixelation process to achieve accurate results. Here is how it works:

1. Character Matching:
   • It uses a character recognition approach. It first analyzes the pixelated image and attempts to identify individual characters.
   • A set of pre-rendered images of possible characters is used. These images are pixelated in the same way as the target image.
   • By comparing the pixelated blocks from the target image with the pixelated blocks of the pre-rendered character images, it tries to find matches.
2. Template Matching:
   • The tool uses template matching techniques to match blocks of pixels from the blurred image with blocks of pixels from the pixelated character images.
   • It scans through the pixelated image and tries to find the closest matching character for each block of pixels.
3. Reconstruction:
   • Once potential matches are identified for each block, the characters are assembled to form the original text or image.
   • The accuracy of the reconstruction depends on the quality of the match between the blurred image blocks and the pre-rendered character images.
4. Iterative Refinement:
   • The process may involve iterative refinement where the tool adjusts its matching criteria to improve the accuracy of the de-pixelation.
   • Multiple passes over the image can help in refining the output to get a clearer reconstruction.

We download it from Github. The first point is that we need to extract the blurred password image precisely, which means we cannot leave any space surrounding our target section but only the raw blurred image:

We can also use the command to verify if it’s a valid PNG for Depix using its example:

python3 tool_show_boxes.py \
    -p images/testimages/testimage3_pixels.png \
    -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png

Therefore, we can install the poppler-utils package, which contains various utilities for working with PDF files.

sudo apt-get install poppler-utils

One of the tools included in this package calls pdfimages, which can extract images from PDF files. It will extract all the images from the specified PDF file and save them using the specified output prefix we specify:

pdfimages -j Using\ OpenVAS.pdf output

Extracted files will be in PPM format, so we need to convert them for the tool Depix to use. Using mogrify, which is a part of the ImageMagick suite, to convert all the extracted PPM images to PNG format:

mogrify -format png output-*.ppm

Besides, the tool Depix uses __loadImageData method in the python scripts, which is only able to deal with PNG in RGB mode. Use a simple python script with pillow library to verify the output PNG mode:

from PIL import Image

image = Image.open('output-000.png')
print(image.mode)  # Should print 'RGB' for Depix to work
print(image.size)  # Should print the dimensions of the image

Unfortunately, we have the wrong color mode for the PNG image. Here is a python script to convert it to RGB mode:

from PIL import Image

# Load the PNG image
image_path = '~/HTB/greenhorn/output-000.png'	# change this
image = Image.open(image_path)

# Print original image mode and size
print(f"Original image mode: {image.mode}")  # Should be 'P'
print(f"Image size: {image.size}")

# Convert to RGB mode if necessary
if image.mode != 'RGB':
    image = image.convert('RGB')
    rgb_image_path = '~/HTB/greenhorn/output_rgb.png'	# choose path
    image.save(rgb_image_path)
    print(f"Converted image saved at {rgb_image_path} with mode {image.mode}")

# Print new image mode to confirm
new_image = Image.open(rgb_image_path)
print(f"New image mode: {new_image.mode}")  # Should be 'RGB'

Now, let’s feed it to Depix:

python3 depix.py \
    -p ~/HTB/greenhorn/output_rgb.png \
    -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png \
    -o ~/HTB/greenhorn/cracked.png

We will get a depixelized image revealing a plaintext password:

This is the password for user root. Now, we have the root flag:

Step 5: Capturing the Flag

The final step in conquering the Greenhorn challenge is to capture the flag. This involves finding the hidden flags on the target system. Once you have gained root access, explore the system to locate the flag files. These flags are usually strings of text or unique identifiers that serve as proof of completing the challenge. Find and capture the user flag and the root flag to demonstrate your success in conquering Greenhorn. Keep in mind that the flags may be hidden in obscure locations or require additional steps to uncover. Persistence and thorough exploration of the system will be key in finding and capturing the flags. Additionally, make sure to check out the writeup for this challenge on GitHub to see a clear and precise explanation of how to solve it. Don’t forget to give it a clap if it was helpful!

ALSO READ: Beginner’s Guide To Conquering Blazorized On HackTheBox

Common Challenges and How to Overcome Them

While attempting the Greenhorn challenge, you may encounter certain challenges that can hinder your progress. Some common challenges include:

• Difficulty in identifying vulnerabilities and exploitation opportunities.
• Troubleshooting issues during the exploitation process.
• Problems with privilege escalation or accessing essential files.

To overcome these challenges, it is important to approach them with a problem-solving mindset. Take a step back, review the information gathered, and analyze the situation from different angles. Research and consult available resources such as online forums or documentation to gain insights and potential solutions. Persistence, adaptability, and a willingness to learn from failures are essential in overcoming challenges and successfully completing the Greenhorn challenge.

Troubleshooting Common Errors

When working on Greenhorn or any other HackTheBox challenge, you may encounter certain errors that can hinder your progress. Troubleshooting these errors is an essential skill to develop as it helps you overcome obstacles and learn from your mistakes. Here are some common errors you may come across while attempting Greenhorn and how to fix them:

• Error 1: “Connection refused” – This error usually occurs when the target system is not accepting connections on the specified port. To fix this, double-check the IP address and port number you are using and ensure that the target system is up and running.
• Error 2: “Permission denied” – This error occurs when you do not have sufficient privileges to access a file or directory. To fix this, try running the command with sudo or as an administrator. Make sure you have the necessary permissions to access the file or directory.
• Error 3: “Command not found” – This error indicates that the command you are trying to run is not recognized by the system. Double-check the spelling and syntax of the command and ensure that the required software or package is installed.
• Error 4: “File not found” – This error occurs when the specified file or directory does not exist. Check the path and spelling of the file or directory and make sure it is present in the specified location.

By troubleshooting these common errors, you can overcome obstacles and progress in your journey to conquer Greenhorn on HackTheBox.

Tips for Efficient Problem-Solving

When encountering hurdles, leverage NLP tools like Nmap for thorough scans and enumeration. Utilize SSH servers for secure access and reverse shells for connectivity. Hash identification and PHP file scrutiny are common steps. Employ Git repositories for version control. CTF challenges often demand a methodical approach; establish a plan to navigate complexities efficiently. Research prior solutions to similar challenges for insights. Document each step meticulously for later reference. Networking within the cybersecurity community can provide valuable assistance. Reach out for assistance when stuck.

Conclusion

Whether you conquered Greenhorn effortlessly or stumbled along the way, the experience gained is invaluable. Each challenge unraveled layers of cybersecurity knowledge, enhancing your NLP vocabulary. Remember, in the world of HackTheBox, the learning journey never truly ends. Embrace the setbacks, celebrate the victories, and remain curious. Strive to pluck more knowledge from each task, honing your skills for the next cyber adventure. Your endeavor with Greenhorn is just the beginning of a thrilling cybersecurity odyssey.

Frequently Asked Questions

What is Greenhorn on HackTheBox and why is it a good challenge for beginners?

Greenhorn on HackTheBox is an entry-level challenge designed for beginners to learn and practice essential cybersecurity skills. It introduces concepts like reconnaissance, enumeration, exploitation, and privilege escalation in a controlled environment, making it an ideal starting point for new enthusiasts.

How Long Does It Typically Take to Solve Greenhorn?

Typically, solving Greenhorn on HackTheBox can vary based on skill level. Beginners may take hours to days, while experienced individuals might solve it within hours. Persistence and learning from mistakes are key.

Are there any specific skills or knowledge areas that are helpful for conquering Greenhorn?

To conquer Greenhorn on HackTheBox, having knowledge of basic networking, Linux command line, and common hacking tools like Nmap and Metasploit is beneficial. Understanding web vulnerabilities and privilege escalation techniques can also aid in overcoming the challenge.