--- search: exclude: true --- # Secret Writeup ![](img/71.png) ## Introduction : Secret is an easy box released back in October 2021. ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. [ 10.10.14.17/23 ] [ /dev/pts/16 ] [~/HTB/Secret] → nmap -sCV secret.htb Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-01 15:42 CET Nmap scan report for secret.htb (10.129.21.112) Host is up (0.081s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 97af61441089b953f0803fd719b1e29c (RSA) | 256 95ed658dcd082b55dd1751311e3e1812 (ECDSA) |_ 256 337bc171d3330f924e835a1f5202935e (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: DUMB Docs 3000/tcp open http Node.js (Express middleware) |_http-title: DUMB Docs Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.30 seconds ## **Part 2 : Getting User Access** Our nmap scan picked up port 80 so let's investigate: ![](prg/71_001.png) we run ffuf to look for directories on port 80: [ 10.10.14.17/23 ] [ /dev/pts/16 ] [~/HTB/Secret] → ffuf -u http://secret.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc 200,204,301,302,307,401 -t 50 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.5.0 Kali Exclusive ________________________________________________ :: Method : GET :: URL : http://secret.htb/FUZZ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 50 :: Matcher : Response status: 200,204,301,302,307,401 ________________________________________________ api [Status: 200, Size: 93, Words: 12, Lines: 1, Duration: 102ms] api/experiments [Status: 200, Size: 93, Words: 12, Lines: 1, Duration: 103ms] api/experiments/configurations [Status: 200, Size: 93, Words: 12, Lines: 1, Duration: 97ms] assets [Status: 301, Size: 179, Words: 7, Lines: 11, Duration: 83ms] docs [Status: 200, Size: 20720, Words: 6752, Lines: 487, Duration: 102ms] download [Status: 301, Size: 183, Words: 7, Lines: 11, Duration: 108ms] :: Progress: [4713/4713] :: Job [1/1] :: 405 req/sec :: Duration: [0:00:10] :: Errors: 0 :: Reading the docs we get a hint as to how to use the API to create an account on port 3000: ![](prg/71_002.png) ![](prg/71_003.png) ![](prg/71_005.png) From here, we create an account at **/api/user/register** POST /api/user/register HTTP/1.1 Host: secret.htb:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://secret.htb:3000/ Connection: close Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache Content-Type: application/json Content-Length: 82 { "name":"nihilist", "email":"nihil@nowhere.com", "password":"nihilist" } ` ![](prg/71_006.png) Then we get the JWT auth-token by going to **/api/user/login/** POST /api/user/login HTTP/1.1 Host: secret.htb:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://secret.htb:3000/ Connection: close Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache Content-Type: application/json Content-Length: 61 { "email":"nihil@nowhere.com", "password":"nihilist" } ` ![](prg/71_007.png) So here we have the following JWT token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2Mzg4YzViYTU0OTM3ZTA0N2ExYmVmZDYiLCJuYW1lIjoibmloaWxpc3QiLCJlbWFpbCI6Im5paGlsQG5vd2hlcmUuY29tIiwiaWF0IjoxNjY5OTA4MDc2fQ.15gBFxEXh2My4CaXqNT0LR4jYymWsnXx0iRU8PFcKpE With it, we can make a request to /api/priv/ : GET /api/priv HTTP/1.1 Host: secret.htb:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiI2Mzg4YzViYTU0OTM3ZTA0N2ExYmVmZDYiLCJuYW1lIjoibmloaWxpc3QiLCJlbWFpbCI6Im5paGlsQG5vd2hlcmUuY29tIiwiaWF0IjoxNjY5OTA4MDc2fQ.15gBFxEXh2My4CaXqNT0LR4jYymWsnXx0iRU8PFcKpE Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://secret.htb:3000/ Connection: close Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache Content-Type: application/json Content-Length: 0 ## **Part 3 : Getting Root Access** ## **Conclusion** Here we can see the progress graph : ![](img/1_graph.png)