This is an automated privilege escalation script for the Hack The Box machine LinkVortex, which exploits an insecure sudo configuration and symbolic link processing vulnerability. Full write Up -> WriteUp.md
The target machine allows the user bob to run a script as root via sudo, which processes .png files and optionally displays their contents if a specific environment variable is set. By chaining symbolic links, it's possible to read sensitive files such as /root/.ssh/id_rsa.
This script automates the full escalation path:
- Connects to the machine as
bobvia SSH - Creates a symlink chain to the root user's private SSH key
- Executes the vulnerable script with the proper environment variable
- Parses and saves the extracted private key
- Connects as
rootusingparamiko - Drops an interactive root shell
- Python 3.x
- paramiko>=2.11.0
- HTB VPN connection active
- Known password for ssh user
bob
python3 autopwn_root.py --target 10.10.11.47 \
--user bob \
--password 'fibber-talented-worth' \--target
IP address or hostname of the target machine.
Example:--target 10.10.11.47--user
SSH username to connect as.
Example:--user bob--password
Password for the SSH user.
Example:--password 'fibber-talented-worth'
--script-path
Full path to the vulnerable script on the target system.
Default:/opt/ghost/clean_symlink.sh
Example:--script-path /custom/path/to/clean_symlink.sh--key-out
Output filename for the extracted private key.
Default:id_rsa_root
Example:--key-out my_root_key.pem
โ๏ธ Initial SSH connection as bob
โ๏ธ Creation of a double symlink (id_rsa.txt โ /root/.ssh/id_rsa โ id_rsa.png)
โ๏ธ Execution of the script using sudo CHECK_CONTENT=true ...
โ๏ธ Output parsing to extract the private key
โ๏ธ Saving the key as id_rsa_root
โ๏ธ New SSH connection as root
โ๏ธ Interactive root shell using paramiko.invoke_shell()