Skip to content

Secret Writeup

Introduction :

Secret is an easy box released back in October 2021.

Part 1 : Initial Enumeration

As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.

[ 10.10.14.17/23 ] [ /dev/pts/16 ] [~/HTB/Secret]
→ nmap -sCV secret.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-01 15:42 CET
Nmap scan report for secret.htb (10.129.21.112)
Host is up (0.081s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 97af61441089b953f0803fd719b1e29c (RSA)
|   256 95ed658dcd082b55dd1751311e3e1812 (ECDSA)
|_  256 337bc171d3330f924e835a1f5202935e (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: DUMB Docs
3000/tcp open  http    Node.js (Express middleware)
|_http-title: DUMB Docs
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.30 seconds

Part 2 : Getting User Access

Our nmap scan picked up port 80 so let's investigate:

we run ffuf to look for directories on port 80:

[ 10.10.14.17/23 ] [ /dev/pts/16 ] [~/HTB/Secret]
→ ffuf -u http://secret.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -t 50

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.5.0 Kali Exclusive 
________________________________________________

 :: Method           : GET
 :: URL              : http://secret.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Response status: 200,204,301,302,307,401
________________________________________________

api                     [Status: 200, Size: 93, Words: 12, Lines: 1, Duration: 102ms]
api/experiments         [Status: 200, Size: 93, Words: 12, Lines: 1, Duration: 103ms]
api/experiments/configurations [Status: 200, Size: 93, Words: 12, Lines: 1, Duration: 97ms]
assets                  [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 83ms]
docs                    [Status: 200, Size: 20720, Words: 6752, Lines: 487, Duration: 102ms]
download                [Status: 301, Size: 183, Words: 7, Lines: 11, Duration: 108ms]
:: Progress: [4713/4713] :: Job [1/1] :: 405 req/sec :: Duration: [0:00:10] :: Errors: 0 ::

Reading the docs we get a hint as to how to use the API to create an account on port 3000:

From here, we create an account at /api/user/register

POST /api/user/register HTTP/1.1
Host: secret.htb:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://secret.htb:3000/
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/json
Content-Length: 82

{
    "name":"nihilist",
    "email":"nihil@nowhere.com",
    "password":"nihilist"
}

`

Then we get the JWT auth-token by going to /api/user/login/

POST /api/user/login HTTP/1.1
Host: secret.htb:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://secret.htb:3000/
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/json
Content-Length: 61

{
    "email":"nihil@nowhere.com",
    "password":"nihilist"
}

`

So here we have the following JWT token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2Mzg4YzViYTU0OTM3ZTA0N2ExYmVmZDYiLCJuYW1lIjoibmloaWxpc3QiLCJlbWFpbCI6Im5paGlsQG5vd2hlcmUuY29tIiwiaWF0IjoxNjY5OTA4MDc2fQ.15gBFxEXh2My4CaXqNT0LR4jYymWsnXx0iRU8PFcKpE

With it, we can make a request to /api/priv/ :

GET /api/priv HTTP/1.1
Host: secret.htb:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2Mzg4YzViYTU0OTM3ZTA0N2ExYmVmZDYiLCJuYW1lIjoibmloaWxpc3QiLCJlbWFpbCI6Im5paGlsQG5vd2hlcmUuY29tIiwiaWF0IjoxNjY5OTA4MDc2fQ.15gBFxEXh2My4CaXqNT0LR4jYymWsnXx0iRU8PFcKpE
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://secret.htb:3000/
Connection: close
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/json
Content-Length: 0

Part 3 : Getting Root Access

Conclusion

Here we can see the progress graph :


Nihilist
Donate XMR to Nihilist:
8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o
7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8