BlitzProp was a Web CTF challenge which was vulnerable to AST injection with Protoype Pollution on NodeJS. Let’s get right in to it.
The webpage:
The input asks for a valid song , any song you choose of the 4 presented, it will output a “Thank you” message.
Trying to input anything other than the songs prints out an error
Checking the web application’s source code (which was available for download as part of the challenge), the following is found:
The web application seems to use ‘pug’, and it also hinted out “ASTa la vista baby”, and “Not Polluting with the boys”. That points out to a vulnerability called “AST injection”.
A snipped of an exploit code found on the article page:
Modifying the script to match our target webpage (which runs in a docker container)
I have added a proxy on 127.0.0.1:8080 to catch the requests with Burp Suite
That script would send a POSST request to /api/submit with the AST Injection included in the POST data, attempting to run the command “ls”
Pressing “Intercept On” on Burp to intercept the requests send to the server:
Running the script
Caught the request:
Now pressing CTRL+R to send it to “Repeater”
Seems like this is generating an error. (The good kind (; )
Going back to the main webpage to send a correct movie name:
It seems like it executed the command “ls” as an error! (`ls` wouldn’t work, so I had to bypass this by generating an error executing the command)
We have RCE now!
Looks like the flag name is “flagrmOBf”, let’s try to send another post request to “cat” it:
Sending another GET request to the main webpage with a valid movie name:
The contents of the flag is beeing output, grabbing the flag!
CHTB{p0llute_with_styl3}
Nice ,simple and very educational web challenge.