# Secret! ## @Author : M3tr1c_r00t  Secret is an easy linux machine which is api based in which we have to forge the api auth-token to gain an rce on the server and gain access; for root, we just exlpoit the polkit CVE-2021-4034 vulnerability to gain root priviledges! ### Enumeration... **__Nmap..__** ``` # Nmap 7.92 scan initiated Fri Nov 11 10:53:44 2022 as: nmap -sC -sV -A -v -oN nmapscan.txt 10.129.175.31 Increasing send delay for 10.129.175.31 from 0 to 5 due to 79 out of 262 dropped probes since last increase. Increasing send delay for 10.129.175.31 from 20 to 40 due to 11 out of 12 dropped probes since last increase. Increasing send delay for 10.129.175.31 from 40 to 80 due to 11 out of 12 dropped probes since last increase. Nmap scan report for 10.129.175.31 Host is up (0.47s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 97:af:61:44:10:89:b9:53:f0:80:3f:d7:19:b1:e2:9c (RSA) | 256 95:ed:65:8d:cd:08:2b:55:dd:17:51:31:1e:3e:18:12 (ECDSA) |_ 256 33:7b:c1:71:d3:33:0f:92:4e:83:5a:1f:52:02:93:5e (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: DUMB Docs | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: nginx/1.18.0 (Ubuntu) 3000/tcp open http Node.js (Express middleware) |_http-title: DUMB Docs | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Nov 11 10:55:48 2022 -- 1 IP address (1 host up) scanned in 123.86 seconds ``` ### Foothold and Entry... We can see there are 2 web servers up.. So let's visit the first on port 80...  After a bit of looking into the site, we find there's a source code file which we can download and look into  After unzipping the downloaded source code, we can go through it and we find that there's a git repo which mite of interest but will check on that later....  Well, after going through the git repo, i ran a directory bruteforce and we find there's an api present... ``` /api  (Status: 200) [Size: 93] /assets  (Status: 301) [Size: 179] [--> /assets/] /docs  (Status: 200) [Size: 20720] /download  (Status: 301) [Size: 183] [--> /download/] ``` And we see there's an api.... <br> So we can get a look at the documentation of the api and see how it works...  We can make a user for the api but there's an error after sending the data ...  There's a quick easy fix for this....The error is there because the data we are sending off is in json format but the content type header is url encoded, we can fix this by changing the content type to json and it works!  Next up we can log in with our new creds to the api and we get a token which we can use ahead...  After a bit of dead ends, i decided to take a look a the source code once again and i found in the private.js file, there's an admin user validation...  <br> The verification is being cross referenced from the auth-token that we were given and with that, we can try to deobfuscate the auth-token and see what it entails... <br>For this, we are going to use a site <a href="jwt.io">jwt.io</a>  With this information at hand , i went back to the git repo and we find that the .env file was removed...  On showing this git, we find a private token...  You also need to remember that on the file private.js, the auth-ticket was verifying the username to being "theadmin" So we need to change our email to gain access on the auth-token that we've found ...  After that, we can gain access to the priv directory using the auth-token... On further enumeration on the private.js file, there was a log directory which might be our entry point into the machine as it may be reading the log files directly from the server....  And we have RCE entry point! <br> We can now get our reverse shell... With our RCE, we can send our reverse shell script base64 encoded as there were some issues, probably filtering...  And now we can get our user flag... ### Priv Esc  Next, i fired up linpeas to find a way for priv esc and the system is vulnerable to polkit CVE-2021-4034  After that, i sent the python script to the machine and we got root!  Done! ### Socials @Instagram:https://instagram.com/M3tr1c_r00t <br>@Twitter:https://twitter.com/M3tr1c_root