gitea.ghost.htb
As suggested from the intranet, there is a Gitea instance running on the gitea.ghost.htb virtual host / sub-domain on the same port 8008
As mentioned in the /news endpoint of the intranet, domain auth is disabled and only the gitea_temp_principal account can access the Gitea instance
Attempting to authenticate using the mined password for the gitea_temp_principal account
Successfully authenticated
There are 2 repositories;
blog
Checking the blog repo reveals the followings;
- Target Ghost CMS instance is running under a Docker container
- which explains why it showed
Ubuntuon the initial recon
- which explains why it showed
- There is a scanning feature in the
intranetapplication that is intended to scan posts on theblogapplication- It is locked behind an API key, which is stored as an environment variable as
DEV_INTRANET_KEY
- It is locked behind an API key, which is stored as an environment variable as
- A modification has been implemented to the target Ghost CMS instance;
posts-piblic.js a5af628828958c976a3b6cc81ais an API key for the public API in the target Ghost CMS
Dockerfile
Checking the Dockerfile file.
- Interestingly, there is what appears to be another API key,
659cdeec9cd6330001baefbf, stored as/var/lib/ghost/extra/important- Nothing is confirmed for now
- The modified
posts-public.jsfile is copied over to the instance
docker-compose.yml
The DEV_INTRANET_KEY attribute pulls the value from the environment variable
This must be for the scanning feature in the intranet application
posts-public.js
Checking the modified posts-public.js file reveals a critical LFI vulnerability
intranet
The intranet application reveals a dev API endpoint at http://intranet.ghost.htb/api-dev
This must be relevant to the scanning feature that was mentioned in the blog application
Backend/api/dev
The backend API has dev.rs and /dev directory appear to be most relevant to this scanning feature
dev.rs
The dev.rs file reveals that the backend fetches an header,X-DEV-INTRANET-KEY, and matches it with the environment variable, DEV_INTRANET_KEY
dev/scan.rs
The dev/scan.rs file contains the scanning feature with an RCE vulnerability