Secret

Enumeration

Ports and Services

Software Installed:

Nmap Scan Results:

Gobuster Scan:

Wfuzz port 3000 /api:

Website uses NodeJS and tokens. There is a source code download link at the bottom of the home page.
Homepage

.git directory found in the files.zip:

Running “git log -p -2” reveals:

Username: theadmin
TOKEN_SECRET = gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE

Username:

Token Secret:

JWT Token in routes/auth.js:

Created error in a response gathering possible local username and path structure:

Created User:

Successfully Logged in and retreived a token:

Verified Token with found secret at https://jwt.io

Priv Test shows I am user:

Created admin token using info from the help pages:

JWT.IO without secret key:

With Key:

Tested:

Auth Token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2MTE0NjU0ZDc3ZjlhNTRlMDBmMDU3NzciLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6InJvb3RAZGFzaXRoLndvcmtzIiwiaWF0IjoxNjI4NzI3NjY5fQ.52W5mGLsIO2iiLpy3f1VkVavP4hOoWHxy5_0BDn9UKo

/api/logs:

/api/logs route in routes/private.js

RCE:

Any commands with / or spaces need to be url encoded:
URL encoded cat /etc/passwd:

Initial Foothold

Gained shell:

User.txt Proof Screenshot

Privilege Escalation

/opt/count has suid set:

Able to crash and retrieve file contents via crash/coredump

1. Executed /opt/count for /etc/shadow
2. Logged into another terminal and looked up the pid and killed it with kill -BUS
3. converted the crashdump into a core dump with apport-unpack
4. Strings the coredump 1.
5. Grabbed root private ssh key: 1.
6. After some cleanup, I was able to ssh as root

RootScreenshot Here: