Cybersecurity Videos

All News Deals Social Blogs Videos Podcasts Digests

HackTheBox - Facts

•June 6, 2026

IppSec

IppSec•Jun 6, 2026

Why It Matters

The case shows how common Rails scaffolding mistakes can expose mass‑assignment vulnerabilities that cascade into full system and cloud credential compromise, underscoring the need for secure defaults and credential hygiene. It illustrates real attacker paths from web app weaknesses to infrastructure breach.

Summary

In the HackTheBox “Facts” walkthrough, the presenter analyzes a vulnerable open‑source Rails app and leverages mass‑assignment flaws to escalate from basic enumeration to admin access. Reconnaissance included nmap, Burp Suite and gobuster, with Rails‑style cookies and a discovered /admin panel leading to account creation and version disclosure. Admin access revealed AWS access keys and an S3 bucket containing an SSH key, which was used to gain a shell; final root compromise was achieved via a known GTFOBins technique against a Puppet‑related binary. The demo emphasizes finding the Rails mass‑assignment vector naturally rather than following the CVE directly.

Original Description

00:00 - Introduction

00:55 - Start of nmap

02:30 - Discovering it is Camaleon CMS based upon the theme url

04:00 - Looking at the cookie to see it is likely a RAILS App

06:00 - Discovering /admin, enumerating valid usernames by how long a login takes

09:40 - Playing with Mass Assignment spots in the application, failing the first few

13:10 - Exploiting mass assignment from the password reset and setting role to admin

16:30 - Discovering AWS Information in the admin panel, setting upthe AWS CLI to use this endpoint then download a ssh key from S3

21:30 - Cracking SSHNG$6 with John because Hashcat doesn't have this yet

25:15 - Our user can run facter with sudo, looking at the GTFOBin and getting code execution

29:20 - Beyond Root: Exploiting CVE-2024-46987, which is a File Disclosure

Comments

Want to join the conversation?

Loading comments...