Post

"Facts" - HackTheBox Walkthrough (Season 10)

A complete walkthrough of the Facts machine from HackTheBox Season 10. Learn how to exploit Camaleon CMS, enumerate S3 buckets, and escalate privileges to root.

Posted Updated
Preview Image
By Khush M
11 min read
"Facts" - HackTheBox Walkthrough (Season 10)

HackTheBox “Facts” Writeup

A walkthrough of the HackTheBox ‘Facts’ machine (Season 10) which is easy rated linux box. This write-up covers initial access, privilege escalation, and post-exploitation techniques.

Initial Reconnaissance

We start with a standard Nmap scan to identify open ports and services. The machine’s IP was 10.129.1.201.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

┌──(kali㉿kali)-[/home/kali/Desktop/temp]
└─$ nmap -T4 -A 10.129.1.201 -p-
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-19 06:10 -0500
Stats: 0:01:33 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 34.26% done; ETC: 06:15 (0:02:58 remaining)
Nmap scan report for 10.129.1.201
Host is up (0.15s latency).
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA)
|_  256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519)
80/tcp    open  http    nginx 1.26.3 (Ubuntu)
|_http-title: Did not follow redirect to http://facts.htb/
|_http-server-header: nginx/1.26.3 (Ubuntu)
54321/tcp open  http    Golang net/http server
|_http-server-header: MinIO
|_http-title: Did not follow redirect to http://10.129.1.201:9001
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 400 Bad Request
|     Accept-Ranges: bytes
|     Content-Length: 303
|     Content-Type: application/xml
|     Server: MinIO
|     Strict-Transport-Security: max-age=31536000; includeSubDomains
|     Vary: Origin
|     X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|     X-Amz-Request-Id: 1895A1D2EF3C7D6B
|     X-Content-Type-Options: nosniff
|     X-Xss-Protection: 1; mode=block
|     Date: Thu, 19 Feb 2026 11:19:15 GMT
|     <?xml version="1.0" encoding="UTF-8"?>
|     <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/nice ports,/Trinity.txt.bak</Resource><RequestId>1895A1D2EF3C7D6B</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
|   GenericLines, Help, RTSPRequest, SSLSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 400 Bad Request
|     Accept-Ranges: bytes
|     Content-Length: 276
|     Content-Type: application/xml
|     Server: MinIO
|     Strict-Transport-Security: max-age=31536000; includeSubDomains
|     Vary: Origin
|     X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|     X-Amz-Request-Id: 1895A1CEC0B5C110
|     X-Content-Type-Options: nosniff
|     X-Xss-Protection: 1; mode=block
|     Date: Thu, 19 Feb 2026 11:18:57 GMT
|     <?xml version="1.0" encoding="UTF-8"?>
|     <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/</Resource><RequestId>1895A1CEC0B5C110</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Vary: Origin
|     Date: Thu, 19 Feb 2026 11:18:58 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1720/tcp)
HOP RTT       ADDRESS
1   131.66 ms 10.10.16.1
2   66.93 ms  10.129.1.201

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 529.04 seconds

The scan reveals three open ports:

  • 22: OpenSSH 9.9p1
  • 80: Nginx Web Server
  • 54321 : MinIO Object Storage

I added the machine IP to my /etc/hosts file for easier access:

Secured
🔒

Active HackTheBox Challenge

This challenge is currently active on HackTheBox. According to HTB's content policy, sharing writeups of active challenges is prohibited.

This writeup will be made publicly available once the challenge is retired. If you wish to know the password or discuss the challenge, please reach out via the social links below.

Need help? Reach out:

DiscordX (Twitter)GitHubLinkedIn

To conclude

Overall a nice simple box from HTB. The machine was relatively easy with an out-of-the-box CMS exploit for user and a super simple abuse to pivot to root. I have covered both the proper exploits.

P.S

I solve new HackTheBox machines every week when they drop, but I don’t publish a writeup for every single one, only the boxes I genuinely enjoyed or learned something from.

I posted “Facts” because its the first machine of the season and it was a clean, fun warm up. Going forward, I’ll probably cover more medium/hard boxes since they feel truly challenging and usually teach me the most.

WriteUp, HackTheBox
htb hackthebox ctf linux privesc s3 camaleon cms writeup season10
This post is licensed under CC BY 4.0 by the author.