Overview

The machine starts by Simple enumeration that discovers an admin panel which is vulnerable to Privilege escalation which gives us admin privilege on that admin panel From here we can find AWS keys configured to a custom endpoint exposed externally with an ssh keys stored in S3 bucket Cracking this SSH key gets us foothold on the target and by exploiting facter binary we get a root shell

Enumeration

jimmex@attacker ~/htb/labs/facts ➜ nmap -sC -sV -vv -oA results 10.129.16.47
                                                        
...