Secret
Secret
Secret 408
Secret
RETIRED MACHINE

Secret

Secret - Linux Linux
Secret - Easy Easy

4.3

MACHINE RATING

10506

USER OWNS

9179

SYSTEM OWNS

30/10/2021

RELEASED
Created by z9fr

Machine Synopsis

Secret is an easy Linux machine that features a website that provides the source code for a custom authentication API. Enumeration of the provided source code reveals that it is in fact a `git` repository. Reviewing previous commits reveals the secret required to sign the JWT tokens that are used by the API to authenticate users. Reviewing the source code the endpoint `/logs` is found to be vulnerable to command injection attacks provided that the user accessing it has a token to verify his identity as `theadmin`. Having the secret to sign a JWT token we can forge a malicious token to spoof our identity as `theadmin` and exploit the vulnerable endpoint in order to get a reverse shell on the remote machine as the user `dasith`. Enumerating the remote file system, a SUID binary is found along with it's source code. The SUID binary runs as `root` and reads any file on the remote system. Furthermore, core dumps are enabled meaning that if a crash occurs during the operation of the binary and a sensitive file is loaded, the core dump will have the file's contents. Exploiting this path we can get the contents of root's SSH key and get a shell as`root` on the remote machine.

Machine Matrix

Ready to start your
hacking journey?