Logo . / chrisalupului
htb: greenhorn sanity check

htb: greenhorn sanity check

Chris Alupului Chris Alupului
July 24, 2024
4 min read
hackthebox ethical hacking cbbh cpts
Next Post cbbh exam review 2025 for hackthebox
Previous Post htb: permx sanity check
Table of Contents

Initial Sanity Check Keep in mind the Hackthebox requirements for easy boxes when tackling this machine.

Penetration Testing Checklist

✅ Topic📖 Module🔍 Status
EnumerationGETTING STARTED◻️ Did you enumerate everything?
NmapSERVICE ENUMERATION◻️ nmap scan all ports?
Page FuzzingATTACKING WEB APPLICATIONS WITH FFUF◻️ What is the site extension?
Vhost FuzzingATTACKING WEB APPLICATIONS WITH FFUF◻️ Any subdomains available?
Directory FuzzingATTACKING WEB APPLICATIONS WITH FFUF◻️ Discover all directories?
Shells & PayloadsREVERSE SHELLS◻️ Reverse shell? Any CVE available?
Privilege EscalationSUDO◻️ Any leaked credentials?

Rustscan

╭─kali at kali in ~
╰─○ rustscan -a 10.10.11.25 -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛
 
[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 1073741716'.
Open 10.10.11.25:22
Open 10.10.11.25:80
Open 10.10.11.25:3000
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -A" on ip 10.10.11.25
PORT     STATE SERVICE REASON  VERSION                                                                                                                       
22/tcp   open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)                                                                 
| ssh-hostkey:                                                                                                                                               
|   256 57d6928a7244841729eb5cc9636afefd (ECDSA)                                                                                                                                                                                                                                                                   
|   256 40ea17b1b6c53f4256674a3cee75232f (ED25519)                                                                                                                                                                                    
80/tcp   open  http    syn-ack nginx 1.18.0 (Ubuntu)                                                                                                         
| http-methods:                                                                                                                                              
|_  Supported Methods: GET HEAD POST OPTIONS                                                                                                                 
|_http-title: Did not follow redirect to http://greenhorn.htb/                                                                                               
|_http-server-header: nginx/1.18.0 (Ubuntu)                                                                                                                  
3000/tcp open  ppp?    syn-ack                                                                                                                               
| fingerprint-strings:                                                                                                                                       
|   GenericLines, Help, RTSPRequest:                                                                                                                         
|     HTTP/1.1 400 Bad Request                                                                                                                               
|     Content-Type: text/plain; charset=utf-8                                                                                                                
|     Connection: close                                                                                                                                      
|     Request                                                                                                                                                
|   GetRequest:                                                                                                                                              
|     HTTP/1.0 200 OK                                                                                                                                        
|     Cache-Control: max-age=0, private, must-revalidate, no-transform                                                                                       
|     Content-Type: text/html; charset=utf-8                                                                                                                 
|     Set-Cookie: i_like_gitea=c9fa31244a9edd3b; Path=/; HttpOnly; SameSite=Lax                                                                              
|     Set-Cookie: _csrf=zLJl16Wer3QA8w0mO2j4t7AXfFk6MTcyMTk1NDgxMTA1NDE1NDY0MQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax                                
|     X-Frame-Options: SAMEORIGIN                                                                                                                            
|     Date: Fri, 26 Jul 2024 00:46:51 GMT                                                                                                                    
|     <!DOCTYPE html>                                                                                                                                        
|     <html lang="en-US" class="theme-auto">                                                                                                                 
|     <head>                                                                                                                                                 
|     <meta name="viewport" content="width=device-width, initial-scale=1">                                                                                   
|     <title>GreenHorn</title>                                                                                                                               
|     <link rel="manifest" href="data:application/json;base64,e <SNIP>                                                                                                           
|   HTTPOptions:                                                                                                                                             
|     HTTP/1.0 405 Method Not Allowed                                                                                                                        
|     Allow: HEAD                                                                                                                                            
|     Allow: HEAD                                                                                                                                            
|     Allow: GET                                                                                                                                             
|     Cache-Control: max-age=0, private, must-revalidate, no-transform                                                                                       
|     Set-Cookie: i_like_gitea=181dc29f2ca564e7; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=qXkGrKIRcAuZ6t5bsezofA4RN2g6MTcyMTk1NDgxNjE5ODUyOTU4MA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Fri, 26 Jul 2024 00:46:56 GMT
|_    Content-Length: 0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
The Modern Port Scanner. Find ports quickly (3 seconds at its fastest). -> bee-san Autumn (Bee)

Gobuster

╭─kali at kali in ~
╰─○ gobuster dir -u http://greenhorn.htb:3000/ -w ../wordlists/dirb/common.txt -t 50 | tee gobuster.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://greenhorn.htb:3000/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                ../wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 303) [Size: 38] [--> /user/login]
/explore              (Status: 303) [Size: 41] [--> /explore/repos]
/favicon.ico          (Status: 301) [Size: 58] [--> /assets/img/favicon.png]
/issues               (Status: 303) [Size: 38] [--> /user/login]
/notifications        (Status: 303) [Size: 38] [--> /user/login]
/sitemap.xml          (Status: 200) [Size: 287]
/v2                   (Status: 401) [Size: 50]
 
===============================================================
Finished
===============================================================

Feroxbuster

Information Disclosure

Hash Cracker

Initial Foothold

De-Obfuscate Password

Next Post cbbh exam review 2025 for hackthebox
Previous Post htb: permx sanity check