https://z3r0s6.github.io/tags/rails/Recent content in Rails on z3r0sHugoenSun, 15 Mar 2026 00:00:00 +0000https://z3r0s6.github.io/machines/facts/Sun, 15 Mar 2026 00:00:00 +0000https://z3r0s6.github.io/machines/facts/<table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Difficulty</td> <td>Easy</td> </tr> <tr> <td>OS</td> <td>Linux</td> </tr> <tr> <td>Techniques</td> <td>Mass Assignment · MinIO · ssh2john · facter GTFOBin</td> </tr> </tbody> </table> <hr> <h2 id="summary"> Summary <a class="heading-link" href="#summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Facts is an Easy Linux machine running a Ruby on Rails CMS. The intended foothold is a <strong>Mass Assignment</strong> vulnerability in the password change endpoint - by appending <code>&amp;password[role]=admin</code> to the intercepted request, a low-privilege user escalates to admin without touching the LFI path. As admin, MinIO S3 credentials are exposed in the General Site filesystem settings. Using the <code>mc</code> client, an SSH private key is pulled from the internal MinIO bucket. The key passphrase is cracked offline with <code>ssh2john</code> + <code>john</code> (rockyou.txt → <code>dragonballz</code>). SSH access lands as <code>trivia</code>, who can run <code>/usr/bin/facter</code> as root via sudo. A malicious Ruby script planted in <code>/tmp/piv</code> and loaded via <code>--custom-dir</code> gives a root shell.</p>