# HTB Machines :: Facts Writeup  ## Reconnaissance We begin by setting up DNS resolution using the `etc/hosts` file and conducting an *nmap* scan to enumerate the open ports. ### Network Scan Initial `nmap` scan shows port 80, 1433, and 5985 is open, showing that the machine is hosting a webserver and a Microsoft SQL database  ## Enumeration ### Website Enumeration Checking `http://facts.htb` shows a trivia website, however there is nothing interesting here.   ### Subdomain Enumeration Using *gobuster*, we enumerated the subdomain and got a few hits, most notably `/admin`.  Checking the login page, we can register for an account, so we created a dummy account with the following credentials: ``` johnr : johnr123 ``` Looking at the CMS panel, it's hosting a Camaleon CMS v2.9.0  ## Exploitation Camaleon CMS v2.9.0 is quite outdated, and it's vulnerable to CVE-2025–2304 ### CVE-2025–2304  This CVE is a Post-auth Privilege Escalation and AWS Credential leak, which we can utilize using this [script](https://github.com/Alien0ne/CVE-2025-2304)  Listing the S3 bucket shows an SSH private key, which we can use to login via SSH   ## Privilege Escalation (User)  Checking the id shows us that it's encrypted, so we'll have to decrypt it first using ssh2john and hashcat to get the credentials: `dragonballz`.  And we're in. However, the user flag is not in the `trivia` folder. Checking the `/home` directory for users, we can see `william`, so we retrieved the flag from that directory.  ``` User Flag : 17279e4c5b001d5072fbf5c0d5cee4f7 ``` ## Privilege Escalation (Root) Checking the privileges of `trivia`, we found an interesting program called `/usr/bin/facter`  After researching a bit, we found that it's a program that lists facts about the system, written in Ruby. We can abuse this by creating a malicious Ruby script and load it using facter  And we gain root access.  ``` Root Flag : 0201aac03c786e1a6740458ee8819116 ```