summary

HackTheBox Website CTF shooting range Web Related topics Gunship, Title address https://app.hackthebox.com/challenges/gunship, Main investigation AST Injected knowledge points .

subject

Title Overview

The title provides attachment download , After decompression, as shown in the figure

After opening the program instance , Prompt to visit 138.68.142.134:32761, visit http://138.68.142.134:32761, See the following Web Interface

Their thinking

Using browser plug-ins Wappalyzer View its components , Found as Node.js Developed applications

see routes Under the index.js

const path              = require('path');
const express           = require('express');
const pug                = require('pug');
const { unflatten }     = require('flat');
const router            = express.Router();

router.get('/', (req, res) => {
    return res.sendFile(path.resolve('views/index.html'));
});

router.post('/api/submit', (req, res) => {
    const { artist } = unflatten(req.body);

    if (artist.name.includes('Haigh') || artist.name.includes('Westaway') || artist.name.includes('Gingell')) {
        return res.json({
            'response': pug.compile('span Hello #{user}, thank you for letting us know!')({ user: 'guest' })
        });
    } else {
        return res.json({
            'response': 'Please provide us with the full name of an existing member.'
        });
    }
});

module.exports = router;

see package.json Version corresponding to each component

among pug:3.0.0 There is RCE Loophole , See https://github.com/pugjs/pug/issues/3312

stay index.js Can be seen in , Request for POST Mode submission , adopt req.body Receiving parameters .

Question answer

Use postman Send to get flag