Intro to Whitebox Pentesting - Target Function

Scorpionking39 · October 28, 2024, 6:52am

Dear HTB student.

For this section there is a app called ‘app.js’ and it ask to do the following:
Use your understanding of eval injections “from the previous section”, try to inject “console.log(input[0])”. Then, monitor the NodeJS Debug Console to confirm whether it worked in logging to console. What was logged to the console?

So what I did is als follows:

url = http://localhost:5000/api/service/generate

Ask for admin token:
bc-dev01@ub-devops01:~/Downloads/intro_to_whitebox_pentesting$ curl -s -X POST -H “Content-Type: application/json” -d ‘{“email”: “test@domain”}’
{“token”:“”}

view in ‘jwt.io/’ to confirm the account is admin:

Token decoded:

{
“email”: “test@domain”,
“role”: “admin”,
“iat”: 1729938653,
“exp”: 1730025053
}

Run the following command to hit the error message ‘contains the following invalid characters’
bc-dev01@ub-devops01:~/Downloads/intro_to_whitebox_pentesting$ curl -s -X curl -s -X POST -H “Content-Type: application/json” -H “Authorization: Bearer ” -d ‘{“text”: “;”}’
{“message”:“The input ";" contains the following invalid characters: [;]”}

Then I did changed ‘{“text”: “;”}’ to ‘{“text”: “console.log(input[0])”}’:
curl -s -X POST -H “Content-Type: application/json” -H “Authorization: Bearer ” -d ‘{“text”: “console.log(input[0])”}’

But it generates a QR code, but I am unable to monitor the NodeJS Debug Console. My question is how can I monitor the NodeJS Debug Console?

b2k · October 28, 2024, 11:22am

JavaScript receives input in the console’s log in the browser developer tools (“F12”, or right mouse click and then “inspect”.)
Assuming the injection is successful, you can see the log in the console.

Assuming the injection is correct

Using curl, we can only validate the injection searching the text on the returned frame. You can use grep to trace the injection.

curl -s -X POST -H "Content-Type: application/json" -H "Authorization: Bearer " -d '{"text": "console.log(input[0])"}' | grep console

Scorpionking39 · October 28, 2024, 12:37pm

Did not work, tried in browser console and curl.

b2k · October 29, 2024, 3:42am

I’ve tried to Google the machine. Can you give me the machine’s name and the exact question number so i can look it up my self.

Scorpionking39 · October 29, 2024, 8:12am

I ran the app locally under ubuntu and kali. But monitoring node.js console log is not clear to me. Also I am in the mean time working on command injection. I can locally upload a webshell with curl and access the webshell to run command ‘ID’. But on the target machine in the module it does not work.

b2k · October 29, 2024, 2:53pm

What is the machine module name?

Scorpionking39 · October 29, 2024, 4:05pm

Intro to whitebox pentesting - Target Function

There is no machine name available.