📚 Table of Contents

🔎 Enumeration

# Nmap 7.80 scan initiated Sat Nov 20 01:50:31 2021 as: nmap -vvv -p 22,80,3000 -sS -sV -sC -oN 10.10.11.120.secret.nmap.txt 10.10.11.120
Nmap scan report for 10.10.11.120
Host is up, received echo-reply ttl 63 (0.077s latency).
Scanned at 2021-11-20 01:50:32 PST for 15s

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: DUMB Docs
3000/tcp open  http    syn-ack ttl 63 Node.js (Express middleware)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: DUMB Docs
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Sat Nov 20 01:50:47 2021 -- 1 IP address (1 host up) scanned in 15.14 seconds

💥 Foothold & Exploitation

• Download git repo from website
• Get secret from git repo
• Register user
• Login with user to see auth-token format
• Forge auth-token as theadmin using secret key

#️⃣ Privilege Escalation

• Exploit is a crazy-kind of race condition
• Run /opt/count program, open /root/root.txt, background program with ctrl+z, kill -SIGSEGV $pid, bring program to fg. Use appport-unpack on the crash archive. Run strings on CoreDump extracted from crash archive to get root flag.