Illusion - web - 152 ptsLaura just found a website used for monitoring security mechanisms on Rhiza's state and is planning to hack into it to forge the status of these security services. After that she will desactivate these security resources without alerting government agents. Your goal is to get into the server to change the monitoring service behavior.Server: nc illusion.pwn2win.party 1337
Dockerfile
, entrypoint.sh
– do not contain anything interesting.index.js
contains a web service using express
and ejs
to basically shows display a formatted javascript object service
into table format on frontend./change_status
that allows us to replace the property in JS object service
to our inputted value using a library fast-json-patch
. Something noteworthy is: there is no validation at all on the inputted values. This allow us to provide object {}
instead of string.fast-json-patch
GitHub page, there is an open pull request fixing a prototype pollution bug. At this point, we already knows the bug, the rest is just to craft the exploit for RCE.outputFunctionName
Set to a string (e.g.,'echo'
or'print'
) for a function to print output inside scriptlet tags. -- https://ejs.co/
outputFunctionName
in EJS to get RCE. So the idea is:service.cameras
property into object {}
.service.cameras.constructor.prototype.outputFunctionName
to our RCE reverse shell payload.CTF-BR{d0nt_miX_pr0totyPe_pol1ution_w1th_a_t3mplat3_3ng1nE!}