This marks challenge 18 of 24 from the Advent of CTF. The ultimate goal in this challenge is to abuse the JavaScript eval function to read a remote file on the server.
Navigating to the web page, we are presented with a submit form where we can submit data. Upon submitting random numeric data, it’s being echoed back to us as seen below.
What if we for example add a mathematical operation to our search bar, will it compute? Let’s find out using Burpsuite and the mighty repeater. Upon entering “333+333” we get the following response from the web server:
In the response pictured above we can see that the server did some calculation for us. Many web applications run on JavaScript, in this particular case it looks like the JavaScript eval function is being used to evaluate our input. Let’s investigate further by evaluating two identical integers.
As seen above our evaluation returned as true, this confirms that the JavaScript eval function is checking our input. A brief explanation of the eval function: “The eval function evaluates or executes an argument. If the argument is an expression, eval evaluates the expression. If the argument is one or more JavaScript statements, eval executes the statements. This means that we can inject our own malicious JavaScript code.”
We now know that we can inject our own malicious JavaScript code because of the eval function, the flag is located in the current directory and it’s called flag.txt. After trying multiple payloads I could read the /etc/passwd file with the following payload: {root.process.mainModule.require(‘child_process’).spawnSync(‘cat’, [‘/etc/passwd’]).stdout}.
We have now confirmed that we can read arbitrary files on the server, now let’s get our flag so we can score our well deserved points. For this we change our payload slightly to print out the contents of the flag.txt file: {root.process.mainModule.require(‘child_process’).spawnSync(‘cat’, [‘flag.txt’]).stdout}.
And there is our flag! The big take-away from this challenge is not to use the eval function because malicious code can be injected leading to RCE. Thanks for reading and happy hacking!
