Hack The Box: LinkVortex
An easy-rated penetration test focused on modern web application weaknesses, including exposed Git repositories, CMS exploitation, and privilege escalation through insecure file handling.
Category
Security Lab
Stack
Nmap
Dirsearch
FFUF
Git-Dumper
Ghost CMS
Bash
SSH
Date
Feb 3, 2025
The Challenge
The LinkVortex machine simulated a modern web application environment with multiple layers of exposure rather than a single obvious vulnerability.
The challenge required careful enumeration of subdomains, source control artifacts, and application configuration to uncover chained weaknesses that led to full system compromise.
My Approach
I began with standard network enumeration to identify accessible services before shifting focus to content discovery and subdomain enumeration.
Rather than targeting the main domain exclusively, I expanded the attack surface by identifying development infrastructure that exposed sensitive internal files.
Each discovery informed the next step, allowing me to pivot from web access to local user compromise and finally to root access.
Build Process
Performed TCP enumeration to identify SSH and HTTP services
Enumerated directories and files on the primary domain to identify access controls
Discovered a development subdomain using FFUF and host header fuzzing
Identified an exposed .git directory and dumped the repository using Git-Dumper
Extracted hardcoded Ghost CMS credentials from the source history
Authenticated to the Ghost CMS administrative dashboard
Exploited CVE-2023-40028 to achieve arbitrary file read
Analyzed Docker configuration files to locate additional credential material
Used recovered credentials to establish SSH access as a local user
Security Focus
This machine highlighted the risks of exposing version control metadata in production environments.
Hardcoded credentials and sensitive configuration files within repositories can compromise entire systems even without direct remote code execution.
CMS vulnerabilities combined with weak operational security practices significantly increase blast radius.
Privilege escalation was made possible by insecure file handling and overly permissive sudo configurations.
Results
Achieved initial access through chained web enumeration and source code analysis.
Escalated privileges by abusing a misconfigured cleanup script that processed symbolic links with elevated permissions.
Successfully captured both user and root flags.
Reinforced best practices around repository hygiene, CMS hardening, and privilege separation.
Want to dig into the code?
This project is fully documented on GitHub, including notes, commits, and future ideas.