Facts
HackTheBox Facts machine writeup — reconnaissance and enumeration walkthrough.
1. Initial Reconnaissance
The engagement begins with external reconnaissance to identify exposed services. A full TCP port scan is performed to ensure no listening services are missed. Using a high scan rate provides rapid visibility while still maintaining accuracy.
Full Port Scan
1
sudo nmap -p- --min-rate 5000 -T4 10.129.21.166 -oN ports.nmap
Result Summary
1
2
3
4
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
54321/tcp open unknown
From this scan, three key attack surfaces are identified:
- SSH (22) - Potential remote shell access if credentials can be obtained
- HTTP (80) - A web application, often the most likely initial entry point
- High Port (54321) - A non-standard service that warrants further inspection
At this stage, the web service becomes the primary focus due to its accessibility and likelihood of application-level vulnerabilities.
2. Hostname Resolution
The HTTP service responds differently depending on the hostname provided. This behavior strongly suggests virtual host routing.
To ensure proper application behavior, the target IP is mapped to its corresponding domain locally.
1
echo "10.129.21.166 facts.htb" | sudo tee -a /etc/hosts
This guarantees that all subsequent web requests are processed under the expected domain context.
3. Targeted Service Enumeration
With open ports identified, a more detailed service scan is conducted against the discovered services to gather version information and default script results.
1
sudo nmap -sC -sV -p 22,80,54321 facts.htb -oN facts.nmap
Key Findings
- Port 22: OpenSSH 9.9p1 (Ubuntu)
- Port 80: nginx 1.26.3 hosting a site titled facts
- Port 54321: Golang HTTP service identifying itself as MinIO
The MinIO service does not expose sensitive functionality or credentials at this stage, so focus shifts entirely to the web application on port 80.
4. Web Enumeration (Port 80)
Navigating to http://facts.htb reveals a CMS-driven website. Initial inspection shows a login panel with the option to self-register, allowing authenticated access without any prior credentials.
This is a critical observation, as authenticated-only vulnerabilities become immediately reachable.
Directory Discovery
To uncover hidden administrative or backend routes, directory fuzzing is performed.
1
ffuf -u http://facts.htb/FUZZ -w /usr/share/wordlists/dirb/common.txt -mc 302
Relevant Results
1
2
3
admin [302]
admin.php [302]
admin.cgi [302]
Accessing /admin redirects to an authentication page. After registering a new account and logging in, a full administrative dashboard becomes accessible, confirming that the CMS grants elevated functionality to any registered user.
Premium Content
The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.
Unlock Full Writeup →