This was the first web challenge I solved in the Cyber Apocalypse 2022 CTF. This challenge had a downloadable portion with a fake flag as well as a web instance with an actual flag. Since the CTF has been over for a while and I didn't capture any of the actual challenge, I am recreating the steps I took here using the docker container.

Recon#

First, I took a look at the challenge in a browser.

image

Invoices can be viewed and created.

image

My first thought was that there might be server side template injection (SSTI).

image

image

Unfortunately, that was not the case.

Analyze the source#

For web challenges with downloadable docker instances, the first thing is to figure out what the back end is. Reading the source files here, this is a node.js app. For node apps, the best place to start looking is in the package.json. I want to see if there are any out of date or known vulnerable plugins. This app is using the following:

"express": "4.17.3",
"md-to-pdf": "4.1.0",
"nunjucks": "3.2.3",
"sqlite-async": "1.1.3",
"uuid": "8.3.2"

md-to-pdf is the first one that I look into more, because I know that there is an RCE vulnerability in certain versions. This specific vulnerability it tracked as CVE-2021-23639. A proof of concept is available at Synk

The poc was modified to output to a directory that is easy to access ---jsn((require("child_process")).execSync("id > /app/static/RCE.txt"))n---RCE

Unfortunately, all I got was “something went wrong” and some error messages in the docker log. From previous experience, I knew that the n in that line might need to be \n, so I tried that as well. That didn't work either. Then I decided that it might literally need to be a newline in the textbox.

---js
((require("child_process")).execSync("id > /app/static/RCE.txt"))
---

and that worked.

image

Now, just change the exploit to copy the flag to somewhere we can read.

---js
((require("child_process")).execSync("cp /flag.txt /app/static/flag.txt"))
---

image

There’s the flag.