HackTheBox: Gunship (Web)

[roaris]

https://app.hackthebox.com/challenges/Gunship

[roaris]

index.js

const path              = require('path');
const express           = require('express');
const pug               = require('pug');
const { unflatten }     = require('flat');
const router            = express.Router();

router.get('/', (req, res) => {
    return res.sendFile(path.resolve('views/index.html'));
});

router.post('/api/submit', (req, res) => {
    const { artist } = unflatten(req.body);

    if (artist.name.includes('Haigh') || artist.name.includes('Westaway') || artist.name.includes('Gingell')) {
        return res.json({
            'response': pug.compile('span Hello #{user}, thank you for letting us know!')({ user: 'guest' })
        });
    } else {
        return res.json({
            'response': 'Please provide us with the full name of an existing member.'
        });
    }
});

module.exports = router;

これだけでフラグを読み取れるのか？という気がする unflattenについて : https://www.npmjs.com/package/flat pugはNode.jsのテンプレートエンジン : https://github.com/pugjs/pug

[roaris]

pug exploitで検索するとhttps://security.snyk.io/vuln/SNYK-JS-PUG-1071616 が出てきた 影響を受けるのはバージョン3.0.1未満 yarn.lockを見ると、バージョン3.0.0だった

pug@^3.0.0:
  version "3.0.0"
  resolved "https://registry.yarnpkg.com/pug/-/pug-3.0.0.tgz#101eecd7a236cd9906e420e17799d4d57f2b7d93"
  integrity sha512-inmsJyFBSHZaiGLaguoFgJGViX0If6AcfcElimvwj9perqjDpUpw79UIEDZbWFmoGVidh08aoE+e8tVkjVJPCw==
  dependencies:
    pug-code-gen "^3.0.0"
    pug-filters "^4.0.0"
    pug-lexer "^5.0.0"
    pug-linker "^4.0.0"
    pug-load "^3.0.0"
    pug-parser "^6.0.0"
    pug-runtime "^3.0.0"
    pug-strip-comments "^2.0.0"

https://www.hackingloops.com/ssti-in-pug/

[roaris]

flatにも脆弱性があるらしい https://github.com/advisories/GHSA-2j2x-2gpw-g8fm 影響を受けるのはバージョン5.0.1未満 yarn.lockを見ると、バージョン5.0.0だった

flat@5.0.0:
  version "5.0.0"
  resolved "https://registry.yarnpkg.com/flat/-/flat-5.0.0.tgz#dab7d71d60413becb0ac2de9bf4304495e3af6af"
  integrity sha512-6KSMM+cHHzXC/hpldXApL2S8Uz+QZv+tq5o/L0KQYleoG+GcwrnIJhTWC7tCOiKQp8D/fIvryINU1OZCCwevjA==
  dependencies:
    is-buffer "~2.0.4"

[roaris]

prototype pollutionについて

• https://webapppentestguidelines.github.io/newtechtestdoc/docs/prototype_pollution/
• https://jovi0608.hatenablog.com/entry/2018/10/19/083725
• https://github.com/nandan-desai-extras/prototype-pollution/blob/master/prototype-pollution.md

[roaris]

https://github.com/nandan-desai-extras/prototype-pollution/blob/master/gunship-walkthrough.md writeup読んだけど、pugのソースコードを追っていく必要があるらしい