Skip to content
Home » Hack The Box: LinkVortex Machine Walkthrough Easy Difficulty

Hack The Box: LinkVortex Machine Walkthrough Easy Difficulty

Tags:
Reading Time: 7 minutes

Introduction to LinkVortex:

In this writeup, we will explore the “LinkVortex” machine from Hack The Box, categorized as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective on LinkVortex:

The goal of this walkthrough is to complete the “LinkVortex” machine from Hack The Box by achieving the following objectives:

User Flag:

The Ghost CMS vulnerability (CVE-2023-40028) was exploited to gain access to sensitive system files, where credentials for the bob users were uncovered. Using these credentials, I logged into the system and accessed the user’s home directory, retrieving the user flag.

Root Flag:

Upon reviewing the sudo configuration, I identified a misconfiguration related to the CHECK_CONTENT environment variable. I could escalate privileges and execute a root shell by manipulating this variable. After gaining root access, I retrieved the root flag from the /root/root.txt file.

Enumerating the Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sC -sV -oN nmap_initial.txt 10.10.11.47

Nmap Output: 

┌─[dark@parrot]─[~/Documents/htb/linkvortex]
└──╼ $nmap -sC -sV -oA initial 10.10.11.47 
# Nmap 7.94SVN scan initiated Sun Apr  6 08:15:15 2025 as: nmap -sC -sV -oA initial 10.10.11.47
Nmap scan report for 10.10.11.47
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)
|_  256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)
80/tcp open  http    Apache httpd
|_http-title: Did not follow redirect to http://linkvortex.htb/
|_http-server-header: Apache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr  6 08:15:58 2025 -- 1 IP address (1 host up) scanned in 42.92 seconds
┌─[dark@parrot]─[~/Documents/htb/linkvortex]
└──╼ $

Analysis:

  • Port 22 (SSH): OpenSSH 8.9p1 on Ubuntu 3ubuntu0.10 with ECDSA and ED25519 keys, offering a secure remote access point to target for credential or misconfiguration exploits.
  • Port 80 (HTTP): Apache httpd redirecting to linkvortex.htb, hinting at a web application ready for enumeration to uncover CMS vulnerabilities or server flaws.

Web Enumeration:

Perform web enumeration to discover potentially exploitable directories and files.

gobuster vhost -u http://linkvorterx.htb -w /ope/subdomains-top1million-5000.txt

Gobuster Output:

Before browsing further, I started subdomain enumeration for linkvortex.htb.

Analysis:

I found one subdomain dev.linkvortex.htb during subdomain enumeration.

Exploitation on LinkVortex machine

Web Application Exploration:

Moving to exploitation, I explored the web application and identified that the site was running Ghost CMS version 5.58. I have also explained this in the previous write-up, where it pertains to Ghost

Exploring using burpsuite

Let’s attempt to determine the version by exploring the directory structure.

Checking the robots.txt file revealed a disallowed /ghost directory, which piqued my interest.

Furthermore, I encountered the login page

Extracting Data Using Git-Dumper

I spent some time seeing how I could make use of .git the directory to find interesting information. I came across a tool called git-dumper.

Analyzing the source code

cat ghost/core/test/regression/api/admin/authentication.test.js | grep pass

I came across multiple authentication.js. While reading them, I found some credentials that seemed to belong to an administrator user.

const password = 'OctopiFociPilfer45'; password, await agent.loginAs(email, password); password: 'thisissupersafe', password: 'thisissupersafe', const password = 'thisissupersafe'; password, await cleanAgent.loginAs(email, password); password: 'lel123456', password: '12345678910', password: '12345678910',

In the above authentication.test.js file, I found a password that is OctopiFociPilfer45.

I found the password, but now I needed to locate the login panel for the admin. I think I hadn’t checked for the robots.txt file yet. Let’s check robots.txt to find some information.

After reviewing robots.txt again to locate the admin login panel, I successfully accessed the Ghost CMS dashboard using these credentials.

Exploiting CVE-2023-40028: Local File Disclosure Vulnerability in LinkVortex machine

Vulnerability Overview

CVE-2023-40028 is a medium-severity vulnerability (CVSS v3.1 score: 4.9) in Ghost CMS, an open-source content management system, affecting versions before 5.59.1. It allows authenticated users to upload symbolic links (symlinks) via the CMS’s file upload functionality. These symlinks can point to arbitrary files on the host system, enabling attackers to read sensitive files, such as configuration files or credentials, that would otherwise be restricted. The vulnerability stems from improper handling of symlinks during file uploads, classified under CWE-22 (Path Traversal) and CWE-59 (Improper Link Resolution). There are no known workarounds, and upgrading to version 5.59.1 or later is the recommended fix.

Technical Details:

  • The exploit leverages the CMS’s import feature, which fails to validate or sanitize symlinks in uploaded ZIP files.
  • Tools like curl and zip are often used to automate the process, with scripts authenticating to the Ghost API, uploading the payload, and retrieving the file contents.
  • Public PoCs demonstrate this process, typically requiring Python or Bash, along with dependencies like requests for HTTP interactions.

We need to download the script onto our machine to obtain access to the machine

The command ./CVE-2023-40028 -u <username> -p <password> -h <host_url> is used to execute a security testing tool from the current directory, specifically designed to check for the vulnerability identified as CVE-2023-40028. This command requires authentication details, such as a username and password, along with the target host’s URL or IP address.

If the tool can successfully read the /etc/passwd file, it is a strong indication that the target system is vulnerable, most likely due to an unauthenticated or improperly authenticated local file disclosure (LFD) vulnerability associated with CVE-2023-40028. The /etc/passwd file is a standard component of Unix-like operating systems and contains user account information. Although it does not store password hashes (which are typically located in /etc/shadow), unauthorised access to this file signifies a serious security misconfiguration. Such access may allow an attacker to enumerate valid system users and potentially leverage this information to escalate privileges or retrieve more sensitive files, such as credential configurations or password hashes.

If the tool can read /var/lib/ghost/config.production.json, that’s a serious red flag. This file holds key configuration details for a Ghost CMS deployment—things like database credentials, mail server settings, and API keys. In the wrong hands, that information can be used to take control of the site, access the database directly, or move laterally within the environment. It’s not just a harmless config file—it’s a potential blueprint for full compromise. If this level of access is possible, CVE-2023-40028 may allow arbitrary file reads, and that turns a minor bug into a high-impact vulnerability.

Gaining User Access

Exploiting a known vulnerability in Ghost CMS (CVE-2023-40028), I gained access to sensitive system files, revealing credentials for the user “bob.”

Tried to access ~/.ssh/id_rsa but failed—looks like the permissions are doing their job, or the exploit doesn’t have the right context or privileges to reach user-level SSH keys. That’s a relief to some extent, since access to that private key would’ve meant potential lateral movement or full SSH access elsewhere. Still, the fact that other sensitive files like /etc/passwd or config.production.json are accessible means the vulnerability is very real and still poses a serious risk. Just because id_rsa it is out of reach doesn’t make this a low-severity issue.

With these, I logged into the system via SSH, navigated to the user’s home directory, and retrieved the user flag.

Escalate to Root Privileges Access on the LinkVortex machine

Privilege Escalation:

Firstly, we need to obtain the SUID binary to as clean_symlink.sh

Root Shell Access

For privilege escalation, I examined the sudo configuration and discovered a misconfiguration tied to the CHECK_CONTENT environment variable. By manipulating this variable, I crafted a malicious command in a file and executed a script, clean_symlink.sh, which had SUID permissions.

Begin listening for incoming connections.

Although my initial attempt at establishing a reverse shell failed, I adjusted my approach.

By exploiting the misconfiguration further, I gained a root shell and accessed the root flag located in /root/root.txt.

Alternative Escalation Path

Alternatively, I found that directly executing a specific command allowed me to read the root flag without needing a reverse shell, providing another path to complete the challenge.