Overview

This machine exposes a web application running Camaleon CMS. By chaining authenticated web access, a path traversal vulnerability, SSH key extraction, and a sudo misconfiguration, we escalate from an unauthenticated web user to full root access on the system.

The exploitation path follows a clean, linear progression where each step naturally enables the next:

Recon → Web Enumeration → Authenticated LFI → SSH Key Theft → Passphrase Crack → User Shell → Sudo Abuse → Root

1. Initial Reconnaissance

The engagement begins with external reconnaissance to identify exposed services. A full TCP port scan is performed to ensure no listening services are missed. Using a high scan rate provides rapid visibility while still maintaining accuracy.

Full Port Scan

sudo nmap -p- --min-rate 5000 -T4 10.129.21.166 -oN ports.nmap

Result Summary

PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
54321/tcp open  unknown

From this scan, three key attack surfaces are identified:

  • SSH (22) - Potential remote shell access if credentials can be obtained

  • HTTP (80) - A web application, often the most likely initial entry point

  • High Port (54321) - A non-standard service that warrants further inspection

At this stage, the web service becomes the primary focus due to its accessibility and likelihood of application-level vulnerabilities.

2. Hostname Resolution

The HTTP service responds differently depending on the hostname provided. This behavior strongly suggests virtual host routing.

To ensure proper application behavior, the target IP is mapped to its corresponding domain locally.

echo "10.129.21.166 facts.htb" | sudo tee -a /etc/hosts

This guarantees that all subsequent web requests are processed under the expected domain context.

🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED

This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.

But you can access the entire premium writeup right now.

🌟 Get Instant Access

Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.

Membership

Why Go Premium?

  • Early access to full detailed writeups

  • Passwords for active CTF solutions

  • Advanced exploitation techniques

  • Priority help & faster support

Upgrade once - unlock everything instantly.

💬 Need help while solving?

I’ve got your back - reach out anytime:
Email: [email protected]

Keep hacking, keep learning, keep winning. 🎯

Keep Reading

No posts found
© 2026 Andrés.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv