Hidden Path — HackTheBox

Description

Legends speak of the infamous Kamara-Heto, a black-hat hacker of old who rose to fame as they brought entire countries to their knees. Opinions are divided over whether the fabled figure truly existed, but the success of the team surely lies in the hope that they did, for the location of the lost vault is only known to be held on what remains of the NSA's data centres. You have extracted the source code of a system check-up endpoint - can you find a way in? And was Kamara-Heto ever there?

Target: http://94.237.122.95:40335

Analysis

Source Code Review

The challenge provides source code for a Node.js Express application (app.js) that allows executing predefined system commands.

Finding Hidden Unicode Characters

Using hex dump analysis (xxd app.js), discovered hidden Unicode characters ㅤ (U+3164, Hangul Filler - an invisible Korean character) in two critical locations:

1. Line 15 - Destructuring assignment:

const { choice,ㅤ} = req.body;

This extracts a hidden parameter named ㅤ (invisible character) from the request body.

2. Line 28 - Commands array:

const commands = [
    'free -m',
    'uptime',
    'iostat',
    'mpstat',
    'netstat',
    'ps aux',ㅤ  // <-- 7th element (index 6) - value from req.body.ㅤ
];

The hidden variable is added as the 7th element of the commands array.

Vulnerability Analysis

• The application validates choice must be a number within bounds of the commands array
• The array has 6 visible elements (indices 0-5) plus 1 hidden element (index 6)
• The hidden element's value comes from user input via the invisible parameter ㅤ
• This allows arbitrary command execution by passing choice=6 and ㅤ=<command>

Solution

Hex Dump Analysis

xxd app.js | grep -A2 -B2 "e3 85 a4"

...