https://phucrio.me/tags/ruby/Recent content in Ruby on Rio BlogHugo -- 0.150.0enSun, 31 May 2026 17:38:09 -0400https://phucrio.me/posts/htb-facts-write-up/Sun, 31 May 2026 22:54:46 +0700https://phucrio.me/posts/htb-facts-write-up/<h2 id="summary">Summary</h2> <p>Facts is a Linux machine running Camaleon CMS behind nginx, with SSH exposed and a public MinIO/S3-style media service. Initial access comes from <strong>CVE-2024-46987</strong>, an authenticated Camaleon CMS path traversal / arbitrary file read. The file read is used to grab the user flag and an encrypted SSH private key for <code>trivia</code>. After cracking the SSH key passphrase, privilege escalation is straightforward because <code>trivia</code> can run <code>/usr/bin/facter</code> as root with <code>NOPASSWD</code>. Facter custom facts are Ruby files; loading one with <code>--custom-dir</code> executes Ruby code as root.</p>