Facts - HackTheBox Detailed Walkthrough
Machine Information
| Property | Value |
|---|---|
| Machine Name | Facts |
| Difficulty | Easy |
| Operating System | Linux (Ubuntu 25.04) |
| Release Date | Season 10 |
| Skills Required | Web Enumeration, API Testing |
| Skills Learned | IDOR Exploitation, S3/MinIO Enumeration, Facter Abuse |
Executive Summary
Facts is an Easy-rated Linux machine featuring a Ruby on Rails CMS called Camaleon. The attack path involves exploiting an Insecure Direct Object Reference (IDOR) vulnerability to escalate privileges within the CMS, extracting cloud storage credentials, recovering an SSH private key from a misconfigured MinIO bucket, and finally abusing sudo permissions on the Facter system profiling tool to achieve root access.
Enumeration
Network Scanning
We begin with a comprehensive port scan to identify running services:
# Quick scan for common ports
nmap -sC -sV -oN nmap/initial $IP
# Full TCP port scan
nmap -p- --min-rate=1000 -oN nmap/allports $IP
Open Ports Discovered
| Port | State | Service | Version | Notes |
|---|---|---|---|---|
| 22 | open | SSH | OpenSSH 9.9p1 Ubuntu | Standard SSH access |
| 80 | open | HTTP | nginx 1.26.3 | Redirects to facts.htb |
| 54321 | open | HTTP | MinIO | S3-compatible object storage |
The scan reveals three open ports. Port 80 redirects to a hostname, indicating virtual hosting is in use. Port 54321 is particularly interesting as it's running MinIO, an S3-compatible object storage server.
DNS Configuration
Before proceeding with web enumeration, we need to add the hostname to our hosts file:
echo "$IP facts.htb" | sudo tee -a /etc/hosts
Web Enumeration (Port 80)
Initial Inspection
Visiting http://facts.htb/ reveals a trivia/facts website. Let's gather more information:
# Technology fingerprinting
whatweb http://facts.htb
# Check HTTP headers
curl -I http://facts.htb
Directory Enumeration
gobuster dir -u http://facts.htb \
-w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
-t 50 -o web/gobuster.txt
Notable findings:
/admin- Admin login panel/assets- Static assets/randomfacts- Image storage (served from MinIO)
CMS Identification
Examining the page source and admin panel reveals:
- CMS: Camaleon CMS v2.9.0
- Framework: Ruby on Rails
- Admin Panel:
http://facts.htb/admin/login
Camaleon CMS is an open-source content management system built with Ruby on Rails. The version number (2.9.0) is important for vulnerability research.
MinIO Enumeration (Port 54321)
MinIO is an S3-compatible object storage server. Initial access attempt:
curl -s http://$IP:54321/
Returns an AccessDenied error, indicating authentication is required. We'll need valid credentials to enumerate further.
Vulnerability Analysis
Researching Known Vulnerabilities
searchsploit camaleon
Results show:
- Camaleon CMS 2.4 - Cross-Site Scripting
- Camaleon CMS v2.7.0 - Server-Side Template Injection (CVE-2023-30145)
The SSTI vulnerability (CVE-2023-30145) affects versions below 2.7.0, but testing reveals it's patched in version 2.9.0. However, during manual testing of the application, we discover an unpatched IDOR vulnerability.
Identifying the IDOR Vulnerability
After registering an account at /admin/register, we analyze the application's API endpoints. The user profile update functionality exposes an IDOR vulnerability that allows any authenticated user to modify other users' attributes, including their role.