We covered command injection and execution in Node JS. The scenario included an input box that passes user input as numbers to a calculator function which uses an EVAL() function to calculate and return the output of the arithmatic operation to the user. The EVAL() function along with the calculator don’t implement any sort of input validation which allowed us to use and call Node JS methods such as readdirsync() & readfilesync() to read sensitive files. This was part of HackTheBox JSCalc web challenge.

Get OSCP Certificate Notes

The Complete Practical Web Application Penetration Testing Course

CHALLENGE DESCRIPTION
In the mysterious depths of the digital sea, a specialized JavaScript calculator has been crafted by tech-savvy squids. With multiple arms and complex problem-solving skills, these cephalopod engineers use it for everything from inkjet trajectory calculations to deep-sea math. Attempt to outsmart it at your own risk! 🦑

Video Highlights

To learn more about the active Node.js process, use the global object process. Require() is not needed because it is global. It offers a plethora of helpful features and techniques to gain more command over system interactions.

For instance, the Node.js process’s current working directory is returned by process.cwd(). I used our program to test this, and I received the results. didn’t activate Burp. I only needed to use the browser console to examine the payload and see the answer.

Reading data from a flag.txt file on the server was the aim of the challenge. The Node.js fs module, which needs to be required with require(‘fs’), can help do this. There are synchronous and asynchronous versions of every method. Working with the file system is made possible (accessing, managing and modifying files, etc.). It includes a wide range of techniques and attributes. The directory’s contents can be listed using the readdir() or readdirSync() (synchronous version) method of the fs class, which functions similarly to the ls or dir commands on Linux and Microsoft Windows, respectively.

We used the below payload to solve the challenge

require(‘fs’).readdirSync(‘/app’).toString()

require(‘fs’).readdirSync(‘../’).toString()

require(‘fs’).readFileSync(“/flag.txt”).toString()

 

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles