Machine Synopsis
`Facts` is an easy-difficulty Linux machine that begins with the discovery of a Camaleon CMS instance. By identifying the CMS version and exploiting a mass-assignment vulnerability (CVE-2025-2304), it is possible to escalate privileges within the application and obtain access to sensitive MinIO S3 credentials. These credentials provide access to an internal bucket containing an encrypted SSH private key. After recovering the key's passphrase and identifying the associated user account, SSH access is obtained as `trivia`. Enumeration of sudo privileges reveals that the user can execute `facter` as root, which can be abused through custom Ruby facts to achieve arbitrary code execution and obtain root access.
Machine Matrix