Facts

Reconnaissance
Initial Access
Privilege Escalation - User
Privilege Escalation - Root
Key Takeaways
Tools Used
Flags
Remediation Recommendations

Reconnaissance

Target Details

Host: facts.htb

Port Scanning

nmap -sC -sV -p- facts.htb -oN nmap_scan.txt

Port	State	Service	Version
22/tcp	Open	SSH	OpenSSH
80/tcp	Open	HTTP	Nginx (serving factsapp)

Web Enumeration

Browsed to http://facts.htb - normal homepage with no obvious vulnerabilities on the main page.

Discovered endpoints:

/admin - Admin login page
/admin/media/download_private_file?file=... - File download functionality

Critical finding: The download endpoint accepts a user-controlled file parameter, indicating a potential Local File Inclusion (LFI) vulnerability.

The rest of this writeup is locked

Contact me on Discord or LinkedIn for the password.

Contact on Discord

HackTheBox policy restricts publishing walkthroughs for active-season machines. This writeup is password-protected to respect that policy while keeping the content available to those who already have access.

Table of Contents

Reconnaissance

Target Details

Port Scanning

Web Enumeration

The rest of this writeup is locked