Facts
Facts is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Scenario
Facts attack path
Facts is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Objective
Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.
Walkthrough flow
Enumeration
Foothold
Privilege Escalation
Root proof
Lessons Learned
Source coverage
High source coverage
Status: complete. This article is generated from 3 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
Good confidence: the page has enough source material to read as a complete walkthrough, but the supporting evidence set is smaller than the highest-confidence cases.
- <TARGET>-Facts/walkthrough.md
- HTB/<TARGET>-Facts/notes.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Facts__notes.md.761ec09092.md
Technical Walkthrough
Facts - Walkthrough
Machine Info
- Name: Facts
- IP: <TARGET>
- OS: Linux
- Difficulty: Easy
- Author: LazyTitan33
Enumeration
Quick TCP scan found SSH (22) and HTTP (80). Full port scan revealed an additional port 54321 running MinIO (LocalStack S3). The web server is nginx proxying to a Camaleon CMS 2.9.0 (Ruby on Rails 8) app at facts.htb. The MinIO bucket randomfacts is anonymously readable and writable, serving CMS media files via nginx proxy at /randomfacts/.
Foothold
- CMS Registration: Registered a user account on the Camaleon CMS admin panel at
/admin/register. The registration form has a CAPTCHA that requires visual solving. The captcha accepts lowercase values. Used Pythonrequests.Session()to maintain the session across captcha fetch and form submission.
- <secret redacted> (Path Traversal File Read): As an authenticated client-role user, exploited the
/admin/media/download_private_file?file=../../../etc/passwdendpoint to read arbitrary files from the server filesystem. This CVE allows any authenticated Camaleon CMS user to read files readable by the web application user (trivia).
User Flag
Read /home/william/user.txt via the path traversal LFI: <hash redacted>
Also extracted:
- trivia user's SSH private key from
/home/trivia/.ssh/id_ed25519(encrypted with aes256-ctr) - Rails master key from
/opt/factsapp/config/master.key
Privilege Escalation
trivia user (SSH access)
Cracked the SSH key passphrase with John the Ripper using rockyou.txt: dragonballz. Used <secret redacted> mechanism to pass the passphrase non-interactively.
Root
sudo -l revealed trivia can run /usr/bin/facter (Puppet Facter 4.10.0) as ALL users with NOPASSWD.
Exploited by creating a custom Ruby fact:
Facter.add(:rootflag) do
setcode do
Facter::Core::Execution.execute("cat /root/root.txt")
end
endExecuted with: sudo /usr/bin/facter --custom-dir /tmp/myfacts rootflag
Root Flag
<hash redacted>
Attack Chain Summary
Anonymous MinIO bucket -> CMS Registration (captcha solve) -> <secret redacted> LFI ->
SSH key extraction -> Key passphrase crack (dragonballz) -> SSH as trivia ->
sudo facter --custom-dir (custom Ruby fact) -> rootLessons Learned
- The machine name "Facts" was a hint toward both the trivia content theme and the
facterprivesc tool. - Camaleon CMS v2.9.0 has <secret redacted> (path traversal file read) exploitable by any authenticated user, even client role.
- The SSTI vulnerability (<secret redacted>) was patched (HTML-escaped) in this version but the LFI was not.
- SSH key passphrase cracking with rockyou.txt continues to be a common HTB pattern.
- Facter
--custom-dirallows loading arbitrary Ruby code as custom facts, which executes as root when combined with sudo NOPASSWD.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Target: <TARGET>
- Pwnbox: <TARGET> (profex0r)
- Difficulty: Easy
- OS: Linux
- Date: 2026-05-10
Key Findings
- Ports: 22 (SSH), 80 (nginx/Camaleon CMS), 54321 (MinIO/LocalStack S3)
- Hostname: facts.htb
- CMS: Camaleon CMS 2.9.0 (Ruby on Rails 8)
- Users: trivia (uid=1000), william
- Rails app: /opt/factsapp, runs as trivia
- MinIO bucket
randomfactshas anonymous read/write - <secret redacted>: Path traversal file read in
/admin/media/download_private_file - SSH key for trivia at /home/trivia/.ssh/id_ed25519 (passphrase: dragonballz)
- Sudo: trivia can run
sudo /usr/bin/facterNOPASSWD - Privesc: facter --custom-dir with custom Ruby fact
Credentials
- CMS user: profx99 / Hackthebox1! (client role)
- trivia SSH key passphrase: dragonballz
- Rails master key: <hash redacted>
Flags
- User (william): <hash redacted>
- Root: <hash redacted>
Evidence Ledger
| Timestamp | Command | Output File | Finding | Next Action |
|---|---|---|---|---|
| 12:24 | nmap -sC -sV | initial.nmap | SSH 22, HTTP 80 (nginx, Camaleon CMS) | Full port scan |
| 12:26 | nmap -p<redacted> | allports.nmap | Port 54321 (MinIO/LocalStack) | Service scan |
| 12:30 | curl MinIO bucket | - | Anonymous read/write on randomfacts bucket | Explore CMS |
| 12:35 | curl admin/register | - | Registration with CAPTCHA | Solve captcha, register |
| 12:50 | Python captcha solve | - | Registered as profx99 (client role) | Exploit CMS CVE |
| 13:10 | <secret redacted> LFI | - | /etc/passwd, user flag, SSH key, Rails config | Crack SSH key |
| 13:36 | john cracking | - | SSH passphrase: dragonballz | SSH as trivia |
| 13:38 | sudo -l | - | facter NOPASSWD | Custom fact for root |
| 13:39 | facter --custom-dir | - | Root flag captured | Done |
Notes
Scope
- Target: <TARGET>
- Pwnbox: <TARGET> (<<secret redacted>>)
- Difficulty: Easy
- OS: Linux
- Date: 2026-05-10
Key Findings
- Ports: 22 (SSH), 80 (nginx/Camaleon CMS), 54321 (MinIO/LocalStack S3)
- Hostname: facts.htb
- CMS: Camaleon CMS 2.9.0 (Ruby on Rails 8)
- Users: trivia (uid=1000), william
- Rails app: /opt/factsapp, runs as trivia
- MinIO bucket
randomfactshas anonymous read/write - <secret redacted>: Path traversal file read in
/admin/media/download_private_file - SSH key for trivia at /home/trivia/.ssh/id_ed25519 (passphrase: dragonballz)
- Sudo: trivia can run
sudo /usr/bin/facterNOPASSWD - Privesc: facter --custom-dir with custom Ruby fact
Credentials
- CMS user: profx99 / Hackthebox1! (client role)
- trivia SSH key passphrase: dragonballz
- Rails master key: <<secret redacted>>
Flags
- User (william): <<secret redacted>>
- Root: <<secret redacted>>
Evidence Ledger
| Timestamp | Command | Output File | Finding | Next Action |
|---|---|---|---|---|
| 12:24 | nmap -sC -sV | initial.nmap | SSH 22, HTTP 80 (nginx, Camaleon CMS) | Full port scan |
| 12:26 | nmap -p<redacted> | allports.nmap | Port 54321 (MinIO/LocalStack) | Service scan |
| 12:30 | curl MinIO bucket | - | Anonymous read/write on randomfacts bucket | Explore CMS |
| 12:35 | curl admin/register | - | Registration with CAPTCHA | Solve captcha, register |
| 12:50 | Python captcha solve | - | Registered as profx99 (client role) | Exploit CMS CVE |
| 13: <REDACTED>, user flag, SSH key, Rails config | Crack SSH key | |||
| 13:36 | john cracking | - | SSH passphrase: dragonballz | SSH as trivia |
| 13:38 | sudo -l | - | facter NOPASSWD | Custom fact for root |
| 13: <REDACTED> |