🌀Linkvortex
Recon phase
Fuzz for hidden pages and subdomains
Look at robots.txt
Enumerate possible subdomains
Add dev.linkvortex.htb to the hostfile and take a look
bit more of fuzzing
We've found a git repository exposed, let's dump it
git-dumper http://dev.linkvortex.htb ./git-dump
let's grep around for some passwords
It's quite messy like that, let's do the same and grep only for the admin files
much better.
There seems to be a couple of const password, probably used for login testing... i wonder if they're still useful...
Looking at the Dockerfile inside the git folder, we see that the Ghost version is 5.58.0 and that there is a configuration file for production environment inside /var/lib/ghost/config.production.json
looking at the ghost version, we see that there is a vulnerability associated: CVE-2023-40028 it's an arbitrary file read (path traversal) vulnerability, so we use a PoC to exploit it
It seems to work.
Let's read the config file we discovered before
There we go.
SSh into the machine with the newly find credentials and let's explore for a privesc!
nano /opt/ghost/clean_symlink.sh
So this script seems to take a file link in input, checks if the target link is in /etc or /root folder and if the link is good, it moves it to quarantine (?), if otherwise it unlinks it and prompt an error...a bit odd but whatever.
let's see if we were correct
ln -s /root/root.txt flag.png
sudo /usr/bin/bash /opt/ghost/clean_symlink.sh flag.png
It seems we were, double linking is the key:
ln -s /root/root.txt flag.txt
ln -s /home/bob/flag.txt flag.png
sudo /usr/bin/bash /opt/ghost/clean_symlink.sh flag.png
Of course we can't, but after a second sight at the script, there is a CHECK_CONTENT variable that we can use to dump the content (again, odd since it was wrote for checking PNG files)
sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh flag.png
There we go.
Last updated