# illusion - pwn2win 2021

tl;dr

• Using Prototype pollution vulnerablity in fast-json-patch pollute value in outputFunctionName
• Get a shell as the flag can only be obtained using binary file

No. Of Solves: 78

Challenge points: 151

Solved By: 1nt3rc3pt0r, Captain-Kay

## Challenge Description

Laura just found a website used for monitoring security mechanisms on Rhiza’s state and is planning to hack into it to forge the status of these security services. After that she will desactivate these security resources without alerting government agents. Your goal is to get into the server to change the monitoring service behavior.

Source Code: here

## Analysis

We have a list of service and status in index.js.

End point /change_status is used to update status of services , this is done with the help of package called fast-json-patch.

fast-json-patch initially had vulnerablity regarding Prototype pollution and it was said to be fixed in the current version that we use in challenge.

The Patch was not good enough to prevent Prototype pollution as they check for existance of __proto__ there still exists a chance for Prototype pollution using prototype Check Here

## Solution

Now we can overwrite values as we need using constructor/prototype/<variable>.

### RCE using Prototype pollution

we have ejs as template engine and injecting code to outputFunctionName in ejs.js can lead to RCE Check Here