Overview
Facts is a Medium-difficulty Linux machine featuring Camaleon CMS exploitation and creative privilege escalation. This machine teaches:
- CMS vulnerability research
- Mass assignment attacks
- AWS S3 credential exposure
- Ruby code injection via Facter
- SSH key-based lateral movement
Enumeration
Port Scanning
Standard web service ports plus SSH are exposed.
Key Services:
- SSH (22/tcp)
- HTTP (80/tcp) - Camaleon CMS
Web Application
The target hosts Camaleon CMS 2.9.0, an open-source content management system built on Ruby on Rails.
Initial Foothold
CVE Chain Overview
CVE-2025-2304 (Mass Assignment)chr(10) ↓chr(10)Admin Panel Accesschr(10) ↓chr(10)S3 Credentials Leakchr(10) ↓chr(10)SSH AccessMass Assignment Vulnerability
Camaleon CMS 2.9.0 is vulnerable to mass assignment, allowing privilege escalation through user registration.
Exploitation Path:
- Register normal user account
- Exploit mass assignment to elevate privileges
- Access admin functionality
- Extract AWS S3 credentials
- Find SSH keys in S3 buckets
Key Concepts
- Understanding Ruby fact definitions
- Facter configuration files
- Service manipulation
- Code injection in configuration
Root Flag Location: /root/root.txt
Key Takeaways
- Mass assignment is a critical vulnerability
- Cloud credential exposure is common
- Configuration files often contain secrets
- Ruby injection techniques are powerful
aws-cli - S3 bucket accessssh - Remote accessReady for the complete attack chain? Get the PAID version on Buy Me a Coffee with CVE exploitation details, S3 enumeration commands, and Facter injection payload.
Complete writeup — members only
All commands, full syntax, step-by-step exploitation and every script used are available to members on Buy Me a Coffee.
Get full writeup on BMaC€5 one-off · or monthly membership