Baby Breaking Grad: A Peek Into Unsafe Code Execution Vulnerability
Title: "Baby Breaking Grad: A Peek Into Unsafe Code Execution Vulnerability"
Introduction:
Today, let's walk you through a fascinating cybersecurity challenge dubbed 'Baby Breaking Grad.' We're university students who corrected our physics teacher's paper, and as revenge, he's flunking us. The only way we can graduate is if we take matters into our own hands and figure out a way to pass.
Machine Name: baby breaking grad
Difficulty: Easy
Category: Web
DESCRIPTION
We corrected the math in our physics teacher's paper and now he is failing us out of spite for making a fool out of him in the university's research symposium, now we can't graduate, unless we can do something about it...
Inspecting the Source Code:
Upon spawning the machine, we download the source code and examine the webpage. The source code gives us the folder structure and config, providing us an overview of the server-side operations.
Intercepting the Request:
When we click on "Did I Pass?", a request is sent to /api/calculate using the POST method, and a response is generated based on the parameters. We decide to probe deeper into the code to see how the server processes this request.
Understanding the index.js:
In the index.js file from the source code, we notice an 'api/calculate' endpoint. This endpoint fetches the 'student' object from the request body. If the student name is undefined, it returns an error. Otherwise, it calculates the pass/fail status based on a formula. The server rejects two specific students, 'Baker' and 'Purvis,' straight away.
The StudentHelper.js:
The StudentHelper.js file evaluates whether a student has passed or not, given an exam score, paper score, and assignment score. If the total score is greater than or equal to 10.5, the student is considered to have passed. However, this module also marks students with names containing 'Baker' or 'Purvis' as failed, irrespective of their scores.
Prototype Pollution Vulnerability:
The StudentHelper.js utilizes 'static-eval' version 2.0.2, which is known to have unsafe code execution vulnerability or prototype pollution. With this in mind, we know that we can exploit this vulnerability to gain unauthorized access to sensitive server information.
Crafting the Payload:
We create a payload that exploits this vulnerability:
Payload = "(function (r){return ''[r?r:'length'][r]})('constructor')('throw new TypeError(global.process.mainModule.constructor._load(\"child_process\").execSync(\"cat /etc/passwd\").toString())')()"
The reason for this specific payload is that it essentially throws a TypeError that runs a child process, enabling us to execute commands on the server. In this case, we execute the "cat /etc/passwd" command to get the user list of the server.
Fetching the Flag:
Executing this payload using Burp Suite, we successfully retrieve the content of the /etc/passwd file, providing us with valuable user information.
Next, we run the 'ls' command to get the contents of the current directory. This step reveals the filename of the flag.
Finally, we 'cat' the flag file to fetch the flag. However, the flag contains a url_encoded character ('''), which needs to be replaced with an apostrophe for it to work correctly.
Conclusion:
The 'Baby Breaking Grad' challenge brings to light the severe implications of Prototype Pollution vulnerabilities. It underscores the importance of practicing secure coding habits to avoid such exploits. In the world of cybersecurity, it's not just about passing exams; it's about ensuring systems pass the test of security as well!