Intro to Whitebox Pentesting - SA2

Hello, I am looking for help regarding the second part of the skills assessment.

I already added a try catch block to parse the length and type but getting this error:

Patch test failed. Please try again.

should throw an error if length is not an integer

Note code is running locally with validation and error messages.

> node ./text2.js a a
> Invalid input: length: must be an integer between 8 and 128
> Usage: node pwgen.js <length> <type>
> length: integer between 8 and 128
> type: simple or complex
> 
> 
> ./text2.js 8 simple
> simple password - length 8: swvxjnav
> 
> node ./text2.js 8 a     
> Invalid input: type: must be simple or complex
> Usage: node pwgen.js <length> <type>
> length: integer between 8 and 128
> type: simple or complex
> 
> 
> node ./text2.js 8 complex
> complex password - length 8: XSH!1L!9

Sorry for not being related to your question, but could I ask for your opinion on Question1’s code? As far as I see, the ‘whoami’ function of the application could potentially be vulnerable to code injection through the user’s ‘uid’, but what is actually assigned to the user through the token we pass in is ‘sid’ (auth-controller.js - line 99). So, ‘whoami’ seems like a rabbit-hole, doesn’t it?

I have the problem with SA2 as well. I have "Result: Injection Failed.

code injection should not be possible, even without sanitization or validation"

I have covered all other requirements. There is no even injectable “new Function”. Why it shows me that there is another injectable part???

yeah it’s a rabbit-hole

you need to account for any possible situation in the code, it’s gotta run clean, no crashing

Same here, I removed the dangerous part. The behaviour of the code is as expected, should I use a third party function to add a layout of security ?

Did somebody solve the challenge?

Challenge: There are at least 2 different ways to obtain remote code execution on the target. So, once you are able to exploit one vulnerability, try to identify the other and exploit it as well.

I managed to exploit /ping but cannot find any other vulnerabilities. What did I miss?

Got the answer by adding this to prevent any crashing of the app:

process.on(‘uncaughtException’, function (err) {
handleException(err);
process.exit(1);
});

But my app is not crashing, when I run it locally it works as expected. On the platform I still have the message: “Result: Injection Failed. code injection should not be possible, even without sanitization or validation”

This SA2 is very poorly implemented.
Mine works completely fine locally. All args validations are there, no crashes, no injection possible etc.

Kept getting either “patch test failed” or “injection failed” regardless. There are no hints, no explanation, no nothing. Yes I’ve toggled the hint button but there’s literally no output still. I’ve no idea what I’ve done wrong and what it wants from me. Extremely frustrated and confused.

OK after a couple days was finally able to solve this SA2 and got the last flag. I’m still of the opinion that this challenge is poorly implemented and terribly communicated.

My final version of the script goes againt pretty much every idea of programming best practices, in particular of what goes inside or outside try-catch blocks, when and where your validations are done etc.

In short, to pass this challenge you probably need to disregard your years of programming instinct, habits, and best practices.

Ok I finally managed… If your struggle to have the flag but you think you checked everything, move your sanitization and verifications checks somewhere else in your code.

1 Like

Make sure you don’t use throw Error('Some error message') or similar in this task…

Hi @terasi, same for me. I think I would need a nudge. Could you please help me? Thanks

Hi all, I am stuck on SA2. I sanitized everything I could think about, even thinking to use the generatepassword function externally, but I still get “Patch test failed. Please try again.”. Would any of you be available to check my code and give me a nudge? Thanks a lot

Thanks to @kruemel, passed. Anyway, I agree, badly written and hints at some point stop having sense…