Introduction
Today’s exercise is a marginally simple JavaScript web exercise. It’s one of the exercises that can be more difficult if you read into it too much. Simply leveraging back end commands found online can take you a long way.
Exercise
Visiting the website, we can see it’s a simple JavaScript calculator.
Eval is a neat function that I mentioned in the introduction – I thought I exploited it in another recent writeup, but this is JavaScript, not Python.
Taking a look at the code that is downloadable via the challenge pack, we can have a look what’s been run exactly.
NodeJS – great. One of my friends gave me a hint that I should try to execute commands directly, so I started experimenting with NodeJS commands and inbuilt modules. After a bit of time, I’m able to get the directory name using the __dirname and Date() modules.
On W3 schools, it looks like we can use a file system module to interact with the system directly:
Great. Next is verifying that we can read files – using the readFileSync module.
Don’t forget to encode it or it will be a waste of time. This took me longer than I’m proud to admit!
Next, we can use the readDirSync module to find directories and files.
Simple – we can read the flag now using the same readFileSync method as earlier.
Lessons Learned
- When you have direct access to system commands, even through modules of some software – always utilize it! NodeJS is a great example of how well documented modules and back end functions can be leveraged for access and potentially remote code execution.
- Don’t forget to encode data when necessary. UTF-8 might be how we want to see our web responses, but software, especially abused back end CLIs might not read data the way we want. If it’s got a feature to do so, that’s great. Otherwise, it’s time to bring out our own encoder/decoder.
Song Of The Day – Stay With Me Tonight by Jeffrey Osborne (1983)