- Published on
HTB: Greenhorn Sanity Check | CBBH - CPTS
- Authors
- Name
- Neospring
- @chrisalupului
These notes serve primarily as a validation and reference tool for HTB Academy Modules, documenting the insights acquired from HTB machines that have contributed to my progression through the CBBH & CPTS paths from Hackthebox. They are not designed as instructional guides, but they do contain spoilers and insights as you advance further.
This box is currently active on HackTheBox. Once retired, these notes will be fully published for public access as per HackTheBox's policy on publishing content from their platform.
Initial Sanity Check
Keep in mind the Hackthebox requirements for easy boxes when tackling this machine.
| Topic | Module | Status |
|---|---|---|
| ✅ Enumeration | GETTING STARTED | ◻️ Did you enumerate everything? |
| ✅ Nmap | SERVICE ENUMERATION | ◻️ nmap scan all ports? |
| ✅ Page Fuzzing | ATTACKING WEB APPLICATIONS WITH FFUF | ◻️ What is the site extension? |
| ✅ Vhost Fuzzing | ATTACKING WEB APPLICATIONS WITH FFUF | ◻️ Any subdomains available? |
| ✅ Directory Fuzzing | ATTACKING WEB APPLICATIONS WITH FFUF | ◻️ Discover all directories? |
| ✅ Shells & Payloads | REVERSE SHELLS | ◻️ Rreverse shell? any CVE available? |
| ✅ Privilege Escalation | SUDO | ◻️ Priv escalation info? ◻️ Any leaked credentials |
Rustscan / Nmap
╭─kali at kali in ~
╰─○ rustscan -a 10.10.11.25 -- -A
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 1073741716'.
Open 10.10.11.25:22
Open 10.10.11.25:80
Open 10.10.11.25:3000
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -A" on ip 10.10.11.25
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 57d6928a7244841729eb5cc9636afefd (ECDSA)
| 256 40ea17b1b6c53f4256674a3cee75232f (ED25519)
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://greenhorn.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open ppp? syn-ack
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=c9fa31244a9edd3b; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=zLJl16Wer3QA8w0mO2j4t7AXfFk6MTcyMTk1NDgxMTA1NDE1NDY0MQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Fri, 26 Jul 2024 00:46:51 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-auto">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>GreenHorn</title>
| <link rel="manifest" href="data:application/json;base64,e <SNIP>
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: HEAD
| Allow: HEAD
| Allow: GET
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Set-Cookie: i_like_gitea=181dc29f2ca564e7; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=qXkGrKIRcAuZ6t5bsezofA4RN2g6MTcyMTk1NDgxNjE5ODUyOTU4MA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Fri, 26 Jul 2024 00:46:56 GMT
|_ Content-Length: 0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Gobuster
╭─kali at kali in ~
╰─○ gobuster dir -u http://greenhorn.htb:3000/ -w ../wordlists/dirb/common.txt -t 50 | tee gobuster.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://greenhorn.htb:3000/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: ../wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 303) [Size: 38] [--> /user/login]
/explore (Status: 303) [Size: 41] [--> /explore/repos]
/favicon.ico (Status: 301) [Size: 58] [--> /assets/img/favicon.png]
/issues (Status: 303) [Size: 38] [--> /user/login]
/notifications (Status: 303) [Size: 38] [--> /user/login]
/sitemap.xml (Status: 200) [Size: 287]
/v2 (Status: 401) [Size: 50]
===============================================================
Finished
===============================================================