Lab 29 — PackForge — Path Traversal to RCE via Template Injection

hackadvisor

Task: NPM package registry (PackForge) with publish API and EJS README rendering; debug mode leaks internal paths. Solution: path traversal in scoped package name writes malicious EJS template to templates directory, then render-readme endpoint triggers SSTI for RCE.

rce path_traversal ssti nodejs ejs information_disclosure debug_mode express template_injection npm_registry vulnerability_chaining scoped_packages

path_traversal_via_package_nameejs_ssti_to_rcetemplate_file_overwritechild_process_execdebug_endpoint_enumeration

$ ls tags/ techniques/

rce path_traversal ssti nodejs ejs information_disclosure debug_mode express template_injection npm_registry vulnerability_chaining scoped_packages

path_traversal_via_package_nameejs_ssti_to_rcetemplate_file_overwritechild_process_execdebug_endpoint_enumeration

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 319 — PageForge — Chained Path Traversal to RCE via Asset Bundler— hackadvisor
[web][Pro]Lab 129 — ReqForge — RCE via VM Sandbox Escape— hackadvisor
[web][Pro]Lab 252 — BuildForge — RCE via npm Lifecycle Script Injection— hackadvisor
[web][Pro]Lab 320 — BuildForge — Path Traversal to RCE via CLI @File Expansion— hackadvisor
[web][Pro]Lab 352 — PipeForge — Content-Type Confusion to Admin JWT Forge to RCE— hackadvisor