Read my writeup to Secret machine on:
TL;DR
User: By downloading the portal source code we found a path /priv API with permission only for user theadmin, we also find a way to create a new user name using /api/user/register API on port 3000, After sucessfully login to the portal we found a header auth-token with JWT token, By observing the source code we found a file auth.js which contains the JWT key, On the mail folder we found also .git folder, by revert to specific commit we found the removed JWT key on .env file, Using the JWT key we create a auth-token of theadmin user to login as theadmin user, Using the theadmin token we can access to /priv API which implemented on private.js file, Found RCE on /api/logs?file path, using that we get a reverse shell as dasith user.
Root: On /opt/ directory we found file code.c which is the source code of /opt/count binary, On the code we see prctl(PR_SET_DUMPABLE) which related to CVE-2020-10768, The manipulation with an unknown input leads to an information disclosure vulnerability, Run the /opt/count binary, insert an input which leads to error, read the /var/crash logs using apport-unpack tool and we found the root flag.