Secret was an easy machine. The source code of the api was provided to us. With this we could use git log and see the token_secret which we could use to access and admin feature which allowed use to provide a filename which we then used to gain a reverse shell.Root had a binary with setuid bit set, but also had coredumps enabled which we used to dump the memory state of a program while the content of the file we wanted to read was there, this is how we got the id_rsa of root and then ssh as root.
nmap found three open ports: 22, 80 and 3000.