LinkVortex

Amal PradeepAmal Pradeep
5 min read

Table of contents

Executive Summary

This penetration test was conducted on the domain linkvortex.htb to identify vulnerabilities and assess its security posture. The assessment revealed several critical security flaws, including Arbitrary File Read (CVE-2023-40028), exposed sensitive credentials, and misconfigurations that led to full system compromise.

Key Findings:

• Directory Enumeration revealing hidden files

• Subdomain Enumeration leading to sensitive endpoints

• Misconfigured Git Repository leaking source code

• Arbitrary File Read (CVE-2023-40028) in Ghost CMS version <5.59.1

• Exposed Credentials in configuration files and test scripts

• Root Access Obtained via SSH Compromise • Privilege Escalation via Symbolic Links

Methodology

  1. Reconnaissance – Gathering subdomains, open ports, and service banners.

  2. Scanning & Enumeration – Using tools like nmap, ffuf, dirsearch.

  3. Exploitation – Utilizing discovered vulnerabilities to gain access.

  4. Privilege Escalation – Attempting to escalate access to root.

  5. Post-Exploitation & Reporting – Documenting findings and remediation steps.

Walkthrough :

Reconnaissance

nmap scan on IP:10.10.11.47 revealing open ports (22 - SSH, 80 - HTTP) and service versions. This provides an overview of exposed services that could be exploited.

During an Nmap scan, I detected an HTTP service. Upon entering the IP address in a browser, I identified the domain linkvorex.htb, which hosted a web page.

Scanning & Enumeration

The initial dirsearch scan identified accessible directories, revealing potential entry points and exposed files that could contain sensitive information or lead to further enumeration.

robots.txt file disclosing hidden paths (/ghost/, /email/, /p/), which could reveal sensitive endpoints.

The /ghost/ endpoint and found a login page for Ghost CMS, a popular open-source content management system designed for publishing and managing blogs

The FFUF tool discovered subdomains, potentially expanding the attack surface by revealing additional applications, services, or entry points for further enumeration and exploitation.

The FFUF tool identified a subdomain named dev The dev subdomain didn’t reveal anything useful, so we performed a dirsearch scan on it to identify accessible directories and potential entry points. A dirsearch scan on dev.linkvorex.htb revealed a .git/ repository, which could contain sensitive source code, commit history, or configuration files

The .git/ repository is vulnerable to unauthorized access and potential source code leakage. To exploit this, we used the GitHack tool to extract repository files and analyze the commit history for sensitive information

The GitHack tool extracted two files: Dockerfile.ghost and authentication.test.js. The Dockerfile might reveal configuration details, while the authentication.test.js file could contain credentials, API keys, or authentication logic for further exploitation.

The authentication.test.js script exposed the admin password(OctopiFociPilfer45), which could be used to attempt logging into the Ghost CMS admin panel.

We attempted to log in to the Ghost CMS admin panel using the guessed email admin@linkvorex.htb and the leaked password OctopiFociPilfer45, and it worked

After logging in, we identified that the Ghost CMS version in use is 5.58, which is outdated and may have known vulnerabilities that can be exploited.

Exploitation

After researching online, we discovered that Ghost CMS 5.58 has a known Arbitrary File Read vulnerability. This vulnerability allows an attacker to read arbitrary files on the server, potentially exposing sensitive information such as configuration files, credentials, and system data.

Found an exploit for this vulnerability

We examined the Dockerfile.ghost extracted earlier and found the line: COPY config.production.json /var/lib/ghost/config.production.json This indicates that the config.production.json file is stored in /var/lib/ghost/, making it a valuable target for the CVE-2023-40028 exploit to retrieve sensitive configuration details.

We executed the CVE-2023-40028 exploit to read /var/lib/ghost/config.production.json, successfully extracting its contents

From the extracted config.production.json, we found a likely email and password combination that could be used for SSH access, potentially allowing us to gain a foothold on the server.

Using the extracted credentials, we successfully logged into the server via SSH as the user bob, gaining initial access to the system.

After listing the contents of Bob’s home directory, we discovered user.txt—our first user flag!!!!!

With initial access secured as bob, the next step is to escalate privileges and gain higher-level access, potentially leading to root control of the system.

Privilege Escalation

The sudo privileges of the current user (sudo -l) output reveals that bob can run the script /opt/ghost/clean_symlink.sh with NOPASSWD using /usr/bin/bash and a wildcard for .png files. This suggests a potential privilege escalation path.

We examined the contents of clean_symlink.sh using the cat command to analyze its functionality and identify potential vulnerabilities for privilege escalation.

The clean_symlink.sh script moves symbolic links pointing to non-critical files into a quarantine directory (/var/quarantined/). However, it explicitly prevents links targeting /etc/ or /root/ directories.

Potential Exploitation:

• Since we can run this script with sudo (without a password), we might be able to manipulate symbolic links to read privileged files indirectly.

• The script moves the linked file to /var/quarantined/ and then attempts to read it if CHECK_CONTENT=true.

• If we can create a symbolic link that bypasses the filter or leads to a sensitive file in another way, we may escalate privileges or extract valuable information.

Privilege Escalation Strategy:

  1. Create a symbolic link (file1.png) pointing to /root/root.txt (restricted file).

  2. Create a second symbolic link (file2.png) pointing to file1.png to bypass the script’s filtering.

  3. Set CHECK_CONTENT=true, ensuring the script attempts to read the quarantined file.

  4. Run the script, triggering it to move and read file1.png (which actually points to /root/root.txt).

  5. Gain access to the root flag

Ran the script with sudo:

• The script moved file2.png to the quarantine directory.

• Since file2.png was a symlink to file1.png, and file1.png pointed to /root/root.txt, the script displayed the root flag.

Final Assessment:

o This penetration test revealed multiple critical security flaws, ultimately leading to full system compromise. The combination of exposed repositories, outdated software, weak sudo configurations, and poor credential management allowed an attacker to escalate privileges to root.

o To mitigate future risks, immediate action should be taken to:

o Patch the vulnerabilities,

o Enforce secure coding practices,

o Harden system configurations,

o Implement continuous security monitoring.

o Without these improvements, the system remains highly vulnerable to exploitation.

0
Subscribe to my newsletter

Read articles from Amal Pradeep directly inside your inbox. Subscribe to the newsletter, and don't miss out.

htbHTB WriteupHTB Machineshtb-cpts

Written by

Amal Pradeep
Amal Pradeep