14.2.3
Find a value (other than toString) that will crash the application when it is set in the prototype.
So far, we have been able to obtain the token because this application allows the user to provide their own settings. This might not always be the case. We’ve introduced a directory traversal vulnerability into the application. Use this directory traversal to obtain the source for the encryption function and the encryption key. Generate a token, decrypt it, modify any parameter, and re-encrypt it. Use this modified token to connect to the RDP client.
Solution
- Other functions include “hasOwnProperty” –> Setting it as a string can cause malformations.
- Extra Mile: Bypass directory traversal filtering using “….//” instead.
- http://192.168.228.138/files/….//settings/clientOptions.json (Encryption Key)
- http://192.168.228.138/files/….//routes/token.js (Encryption Function)
- Generate a token, decrypt it, modify any parameter, and re-encrypt it. Use this modified token to connect to the RDP client. (Unfinished)