Secret Writeup
Introduction :
Secret is an easy box released back in October 2021.
Part 1 : Initial Enumeration
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 10.10.14.17/23 ] [ /dev/pts/16 ] [~/HTB/Secret]
→ nmap -sCV secret.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-01 15:42 CET
Nmap scan report for secret.htb (10.129.21.112)
Host is up (0.081s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97af61441089b953f0803fd719b1e29c (RSA)
| 256 95ed658dcd082b55dd1751311e3e1812 (ECDSA)
|_ 256 337bc171d3330f924e835a1f5202935e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: DUMB Docs
3000/tcp open http Node.js (Express middleware)
|_http-title: DUMB Docs
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.30 seconds
Part 2 : Getting User Access
Our nmap scan picked up port 80 so let's investigate:
we run ffuf to look for directories on port 80:
[ 10.10.14.17/23 ] [ /dev/pts/16 ] [~/HTB/Secret]
→ ffuf -u http://secret.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -t 50
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive
________________________________________________
:: Method : GET
:: URL : http://secret.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 50
:: Matcher : Response status: 200,204,301,302,307,401
________________________________________________
api [Status: 200, Size: 93, Words: 12, Lines: 1, Duration: 102ms]
api/experiments [Status: 200, Size: 93, Words: 12, Lines: 1, Duration: 103ms]
api/experiments/configurations [Status: 200, Size: 93, Words: 12, Lines: 1, Duration: 97ms]
assets [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 83ms]
docs [Status: 200, Size: 20720, Words: 6752, Lines: 487, Duration: 102ms]
download [Status: 301, Size: 183, Words: 7, Lines: 11, Duration: 108ms]
:: Progress: [4713/4713] :: Job [1/1] :: 405 req/sec :: Duration: [0:00:10] :: Errors: 0 ::
Reading the docs we get a hint as to how to use the API to create an account on port 3000:
From here, we create an account at /api/user/register
POST /api/user/register HTTP/1.1
Host: secret.htb:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://secret.htb:3000/
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/json
Content-Length: 82
{
"name":"nihilist",
"email":"nihil@nowhere.com",
"password":"nihilist"
}
`
Then we get the JWT auth-token by going to /api/user/login/
POST /api/user/login HTTP/1.1
Host: secret.htb:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://secret.htb:3000/
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/json
Content-Length: 61
{
"email":"nihil@nowhere.com",
"password":"nihilist"
}
`
So here we have the following JWT token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2Mzg4YzViYTU0OTM3ZTA0N2ExYmVmZDYiLCJuYW1lIjoibmloaWxpc3QiLCJlbWFpbCI6Im5paGlsQG5vd2hlcmUuY29tIiwiaWF0IjoxNjY5OTA4MDc2fQ.15gBFxEXh2My4CaXqNT0LR4jYymWsnXx0iRU8PFcKpE
With it, we can make a request to /api/priv/ :
GET /api/priv HTTP/1.1
Host: secret.htb:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2Mzg4YzViYTU0OTM3ZTA0N2ExYmVmZDYiLCJuYW1lIjoibmloaWxpc3QiLCJlbWFpbCI6Im5paGlsQG5vd2hlcmUuY29tIiwiaWF0IjoxNjY5OTA4MDc2fQ.15gBFxEXh2My4CaXqNT0LR4jYymWsnXx0iRU8PFcKpE
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://secret.htb:3000/
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/json
Content-Length: 0
Part 3 : Getting Root Access
Conclusion
Here we can see the progress graph :
Nihilist
8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o
7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 Donate XMR to Nihilist: