webfreemedium

Facts

hackthebox

Task: HackTheBox Facts machine — Camaleon CMS 2.9.0 on Ruby on Rails with Linux privilege escalation. Solution: Exploited two CVEs for CMS privilege escalation and arbitrary file read, cracked encrypted SSH key, then abused sudo permissions on facter utility for root access.

$ ls tags/ techniques/

path_traversal sudo_privesc gtfobins mass_assignment camaleon_cms ruby_on_rails ssh_key_cracking facter

privilege_escalationcve_2025_2304cve_2024_46987arbitrary_file_readbcrypt_crackingcustom_facts_injection

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Facts - HackTheBox

Challenge Information

Field	Value
Platform	HackTheBox
Name	Facts
Category	Web / Linux Privilege Escalation
Difficulty	Medium
Target	10.129.22.178 (facts.htb)

Description

A HackTheBox machine featuring Camaleon CMS running on Ruby on Rails. The attack chain involves exploiting two CVEs in the CMS for privilege escalation and arbitrary file read, cracking an encrypted SSH key, and finally abusing sudo permissions on the facter utility for root access.

Reconnaissance

Port Scanning

nmap -sC -sV 10.129.22.178

Open Ports:

22/tcp - SSH (OpenSSH 9.9p1)
53/tcp - DNS
80/tcp - HTTP (nginx 1.26.3)

Web Application Analysis

The web server hosts Camaleon CMS 2.9.0 running on Ruby on Rails 8.0.2.

Key endpoints discovered:

/admin/login - Admin login page
/admin/register - User registration (with captcha)
/admin/users/{id}/updated_ajax - User update endpoint

User Enumeration

Users discovered on the system:

trivia - Regular user with SSH access
william - User with user.txt flag
root - System administrator

Phase 1: Initial Access - Camaleon CMS Admin

User Registration

First, registered a new user account via the /admin/register endpoint. This required solving a captcha challenge.

CVE-2025-2304: Mass Assignment Privilege Escalation

Camaleon CMS is vulnerable to mass assignment in the user update functionality. By adding the role=admin parameter to the update request, a regular user can escalate their privileges to administrator.

Vulnerable Endpoint: /admin/users/{id}/updated_ajax

curl -X POST "http://facts.htb/admin/users/3/updated_ajax" \
  -H "Cookie: _camaleon_cms_session=..." \
  -d "user[role]=admin&user[first_name]=Test&user[last_name]=User"

Result: User account elevated to CMS administrator.

Phase 2: Arbitrary File Read via Path Traversal

CVE-2024-46987: Path Traversal in File Download

...

$ grep --similar

Similar writeups

[web][free]Conversor (Full Box)— hackthebox
[web][free]Browsed— hackthebox
[pentest][free]WingData (Wing FTP RCE → Python tarfile PATH_MAX bypass)— hackthebox
[pentest][free]Interpreter (Mirth Connect → f-string Injection)— hackthebox
[infra][Pro]Скрипт-кидди (Script-kiddie)— hackerlab