gitcha

DESCRIPTION

Simon is maintaining a personal portfolio website, along with a secret which no one else knows. Can you discover his secret? FLAG FORMAT: dsc{[a-zA-Z0-9_]+}

Solution

On viewing the page source, we see a HTML comment about .git folder
We are able to access the .git folder and view its contents
Using git-dumper download the .git folder.
Check the commits git log
commit dcfb8e6db1b5d4bc80ab7af385fd6a80a7ce9561

app.get("/supersecret", (req, res) => {
-  if (req.cookies["SECRET_COOKIE_VALUE"] === "thisisahugesecret") {
-    res.send("You found the secret!");
}})

To be an admin we should simply set this as the cookie: SECRET_COOKIE_VALUE:thisisahugesecret
access /supersecret
First thought was SSTI
Testing with basic payload {{7*7}} evaluated to 49, so our payload worked
Next was to retrieve contents of flag.txt
Found a payload on HackTrickz

Payload

{{range.constructor("return global.process.mainModule.require('fs').readFileSync('flag.txt')")()}}

Adding this is a note and viewing the note gives us the flag
Flag: dsc{g1t_enum3r4ti0n_4nD_sSt1}

Resources:

https://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine
https://github.com/geeknik/the-nuclei-templates/blob/main/node-nunjucks-ssti.yaml
hacktricks.xyz

Last updated 1 year ago