#sockjs

This box starts with a web server in which vue.js is present, after careful analysis it is possible to obtain a path that is not correctly protected by the JWT which provides us with the staff password hashes. After having bruteforced the hashes we can access the web application as an unprivileged user, a further bruteforce attack will be necessary to obtain the secret key used by the HMAC SHA256 (aka HS256) algorithm that generates the JWT. Subsequently thanks to an SSRF it will be possible to access an internal documentation where the sources of the functions are present. Thanks to a first command-injection on the awk command, it will be possible to read the files present on the file system until obtaining the bean user password. The second command injection on the sed command present in the store sources will allow you to obtain a shell as the www-data user. The third and final command injection on the mail command will allow you to get a shell as the root user.