HTB-Facts - HackMD

#### HTB-Facts First, I always scan all the port of the machine ![image](https://hackmd.io/_uploads/ByIIfFvnWg.png) I use nmap to scan which service was running in that port ![image](https://hackmd.io/_uploads/HkxwmKw2Zg.png) I need to set up DNS resolution by adding 10.129.213.90 facts.htb to /etc/hosts ![image](https://hackmd.io/_uploads/r1IgEKD2-g.png) Checking http://facts.htb shows a trivia website, however there is nothing interesting here. ![image](https://hackmd.io/_uploads/SyFNEFv3bx.png) I use gobuster to enumerate the path and get /admin ![image](https://hackmd.io/_uploads/rJjhBYwn-l.png) Checking the login page, i can register for an account, so we created a account with the following credentials: ![image](https://hackmd.io/_uploads/HJKWItPn-g.png) ``` taolatan 123456789 ``` ![image](https://hackmd.io/_uploads/SJTVIKwhbl.png) Looking at the CMS panel, it's hosting a Camaleon CMS v2.9.0 ![image](https://hackmd.io/_uploads/HJd8LFw2Zl.png) Camaleon CMS v2.9.0 is quite outdated, and it's vulnerable to CVE-2025–2304. The vulnerable code uses params.require(:user).permit! which accepts all user-supplied parameters without validation: ``` def updated_ajax user_params = params.require(:user).permit! # DANGEROUS! current_user.update(user_params) end ``` Attack Vector: * Authenticate as a low-privileged user (e.g., "client" role) * Send crafted POST request to /admin/users/{id}/updated_ajax * Inject user[role]=admin parameter * User role escalates to administrator This CVE is a Post-auth Privilege Escalation and AWS Credential leak, which we can utilize using this [POC](https://github.com/Alien0ne/CVE-2025-2304) ![image](https://hackmd.io/_uploads/SyBQi9v3-g.png) ``` s3 access key: AKIA97F932B9D48C05F2 s3 secret key: sLLdgk55MHOVh1OrPzvHe1rsWvjO2tmksuFrG3FJ s3 endpoint: http://localhost:54321 ``` With command `aws configure` to configure auth in aws ![image](https://hackmd.io/_uploads/HyIeeow3Zg.png) I use command `aws --endpoint-url http://facts.htb:54321 s3 ls` to list all the bucket ![image](https://hackmd.io/_uploads/S1xMgoD2-e.png) ![image](https://hackmd.io/_uploads/BkTpQsP2be.png) Listing the S3 bucket `internal` shows an SSH private key, which i can use to login via SSH. ![image](https://hackmd.io/_uploads/BJIngjD3Zg.png) ![image](https://hackmd.io/_uploads/BJMlZjPh-e.png) I need to crack the private key to get passphrase: `dragonballz` ![image](https://hackmd.io/_uploads/rkyCDiDhZl.png) Now i need to know who user i can ssh. After some reseach i find Camaleon CMS v2.9.0 have another [CVE-2024-46987](https://github.com/Goultarde/CVE-2024-46987), with this CVE i can read file /etc/passwd to get user name. I create another account because the previous don't work ![image](https://hackmd.io/_uploads/B1z-FiwnWe.png) In here we have two user trivia and william. I try with user trivia first and it work. ![image](https://hackmd.io/_uploads/B1ZcYownbg.png) However, the user flag is not in the trivia folder. Checking the /home directory for users, we can see william, so we retrieved the flag from that directory. ![image](https://hackmd.io/_uploads/BJtJciPn-g.png) Checking the privileges of trivia, we found an interesting program called /usr/bin/facter ![image](https://hackmd.io/_uploads/HkLPqsDnbg.png) ![image](https://hackmd.io/_uploads/ryKWosDhZl.png) In [gtfobins](https://gtfobins.org/gtfobins/facter/), we found that it's a program that lists facts about the system, written in Ruby. We can abuse this by creating a malicious Ruby script and load it using facter. ![image](https://hackmd.io/_uploads/SkoTooP3-x.png) ![image](https://hackmd.io/_uploads/S1yr3sw2Wl.png)