LinkVortex HTB - Writeup
originally written: 2024-12-12
hello, here is an active box, i don't know when i'll publish this because i don't keep track of when they expire but this is more for my personal reference
here we have the main page, if you look and enumerate this site a bit, you'll find there's nothing really of interest EXCEPT if you take a look at wappalyzer it'll tell you the version of ghost this site uses, which has an exploit - it's authenticated though, so just keep this in mind for later
enumerate the IP more and you'll find a OOPS you can see the discussion in the background everyone needs a lil nudge hehe subdomain called dev
in this, you'll find the git repo of the website
just gitdump everything because you'll see by the head that there's a previous version worth looking at
mkdir git-dumper
python3 -m venv .
source bin/activate
pip install git-dumper
then checkout the head
then, check the js file out:
you'll see a password! now, we can use the AFR exploit
in the Docker file (if i remember correctly) mentions a Dockerfile which contains the path to this file that you can read using this exploit
then, use these creds and ssh
first thing of note, sudo -l shows you
the script basically checks if there's a symlink attached to the png file you put in, outputs any content (to show that it's been removed) and cleans it
it however does not check if you symlink to a symlink
under this, you should have the root flag