January 31, 2026

Facts HackTheBox Writeup - Season10

Adrian Reategui
Share
HackTheBox Facts machine walkthrough

SUMMARY

This write-up covers the Active machine from HackTheBox Season 10. The initial foothold is obtained by exploiting CamaleonCMS, which is vulnerable to CVE-2024-46987, allowing a Local File Inclusion (LFI) attack.

By abusing this vulnerability, sensitive files on the server can be read, including an SSH private key belonging to a system user. After retrieving the key, the passphrase was cracked to gain initial SSH access to the machine.

Privilege escalation was achieved due to a misconfigured sudo rule, allowing the execution of a privileged binary and ultimately leading to root access on the system.

PATH TO FOLLOW

  1. Reconnaissance
  2. Web Enumeration
  3. Exploiting CamaleonCMS CVE-2024-46987
  4. Local File Inclusion (LFI)
  5. Extracting an SSH Private Key
  6. Cracking the SSH Passphrase
  7. Initial SSH Access
  8. Sudo Misconfiguration
  9. Privilege Escalation to Root

CONTENT WILL BE RELEASED ONCE THE MACHINE IS RETIRED

Linux CVE-2024-46987 CamaleonCMS Hackthebox Season10

Table of Contents