Platform: Hack The Box
Season: 10
Difficulty: Easy
OS: Linux (Ubuntu 25.04)
Date: 2026-02-01
Author: x4cc3
Facts is an Easy Linux machine running a Camaleon CMS-based facts website. A mass assignment vulnerability in the Camaleon admin user update (CVE-2025-2304) allows an attacker to escalate a regular account to admin. The admin panel reveals MinIO (S3-compatible storage) credentials, which are used to access an internal bucket containing an encrypted SSH private key. After cracking the key's passphrase, SSH access is gained as trivia. For root, the user's sudo permission on facter is exploited via custom Ruby fact injection.
nmap -Pn -sV -sC -T4 -A 10.129.27.18
| Port | Service | Version |
|---|---|---|
| 22/tcp | SSH | OpenSSH 9.9p1 (Ubuntu) |
| 80/tcp | HTTP | nginx 1.26.3 (redirects to facts.htb) |
Added to /etc/hosts:
echo "10.129.27.18 facts.htb" | sudo tee -a /etc/hosts
feroxbuster -u <http://facts.htb/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Nmap scan results