Hey Hackers! đź‘ľ
A fresh machine just dropped on Hack The Box (launched 07/12/2024), and it’s begging to be hacked! 🔥
⚡ Level: Easy
⚡ Link: https://www.hackthebox.com/machines/linkvortex
Pre-Requisites
âž” Connect with the HTB VPN pack
âž” Add the IP in the hosts file
Enumeration
a. Port Scanning :
âž” Rustscan
âž” Nmap
b. Directory Enumeration
âž” Feroxbuster
âž” Found some directory, Which is very evident that GHOST CMS is running.
Manual Site Inspection [linkvortex.htb]
➔ Here’s a login page, tried few default credentials but bad luck that didn’t work out !
âž” Went to index page of the site
âž” After walking around few minutes, got to know the version of Ghost CMS i.e 5.58
➔ Did a simple google search “Ghost 5.58 exploits”
➔ Got this CVE-2023–40028 :: Arbitraty File read.
âž” Analyzed this code to know how this exploit working and what it requires to run.
âž” As I thought , it needs credentials for the Ghost CMS to run this exploit
âž” So, I again went back to the site to gather some information.
âž” These are some blogs on website posted by admin.
âž” So, I thought to try admin@linkortex.htb
➔ When I tried with admin@linkvortex.htb it gave me “password is incorrect”
➔ So I tried using any random mail and it gave me an error of “incorrect email & password”
âž” So, now I have email and I need password to exploit the vulnerability.
âž” After utilizing few minutes on main domain, I had not a single way other then subdomain
enumeration.
âž” By using gobuster I started vhost fuzzing
âž” dev.linkvorted.htb :: found this subdomain.
âž” Added it in the host file and started further enumeration
Manual site Inspection [dev.linkvortex.htb]
➔ Didn’t able to find much on the site manually.
âž” Started directory enumeration.
âž” Found nothing :: I got stuck at this point , then I thought to shift to another tools.
âž” So, switched to gobuster :: found nothing :: then Dirsearch.
âž” Dirsearch is a powerful tool because it uses it in-built wordlist which contains hidden directories and full path of uncommon endpoints , sometimes could give you webshell endpoints directly.
âž” It gave me a .git directory.
âž” Without any delay I just dumped this directory with git-dumper.
âž” As we can see , we have a .git fully dumped repository.
âž” As learnt in PWST course, sometimes developed forgot their creds in repo or by mistake
commit the
âž” I check the commits but nothing found , also tried restoring the commits but again came with empty hands.
âž” At that time, I got stuck here even after googling the stuff , I am unable to find something.
âž” Then I started viewing each file/folder manually and got an idea about grep.
➔ Used grep command it order to search for “password” string in the .git directory.
➔ grep -iR “password”.
➔ got a lot of output, found 2–3 password but this was interesting as it was present in admin/authentication , so it could be the possible password for the CMS.
âž” Tried login with this password and BOOM !! I got CMS access on linkvortex.htb
âž” admin@linkvortex.htb :: OctopiFociPilfer45
Initial Access
➔ Now I got the correct credential set, it’s time to exploit the bash script we found in GITHUB against the target.
➔ Got the access to the file it’s time to get the reverse shell.
âž” At this point, I Got stuck but after some research I got to know that, GHOST CMS stores their configuration in /var/www/ghost/config.production.json.
➔ But here, file wasn’t there
âž” Tried few other paths then came up with this /var/lib /ghost/config.production.json.
âž” ssh bob@linkvortex.htb :: fibber-talented-worth.
âž” Got ssh as user BOB.
âž” Submitted USER.txt
Privilege Escalation
âž” The first and foremost thing I do for privesc is checking sudoers file.
âž” Luckily, I got the privesc attack vector in sudores file only.
Description :: User bob can run a bash file with sudo perms to check if any image is having any dangerous symlink on not like if it contains /root or /etc then the file will be removed otherwise it will be quarantined to /var/quarantined directory and if the file is safe and CHECK_CONTENT parameter is passed with true value then it will print the file content.
âž” I tried multiple method, first tried the basic one to see the functionality.
âž” It was removing the file as per the code
âž” After few minutes of brainstorming, I got a idea to try indirect path technique.
âž” Instead of passing direct /root/root.txt , I passed it indirectly but the file was checking the root and etc string in full path which is being passed not only at initial place.
➔ Then got a hint of “double symlink” from my colleague.
âž” Instead of symlinking the single file , I added one file in between.
âž” So the flow was like this ::
/root/root.txt -> /home/bob/flag.txt
/home/bob/flag.txt -> /home/bob/flag.pngSo now, if I pass this png file then the bash file will read this /home/bob/flag.txt symlink and it didn’t get detected.
âž” Getting ROOT Shells by getting the id_rsa of the root shell.
Learning
i. Never stuck on single tool, if you are not finding anything then change either tool or the word-list.
ii. Enumeration is the key, if you aren’t finding anything then go to the spot where you have started.
iii. Don’t think out of the box initially, solution might be easy, give it a basic try then try analyzing the response.
iv. Double Symlinking technique for privilege escalations.
Thank you, Hope it helped you out !
RGHX 🙂