MetricForge

hackadvisor

Task: Business analytics platform with custom formula evaluation using Node.js vm module sandbox. Solution: Escape the vm sandbox via prototype chain traversal (this.constructor.constructor) to access the main process context, require fs, and read /root/flag.txt.

rce nodejs sandbox_escape javascript express decoy_flag formula_injection vm_sandbox prototype_chain

arbitrary_file_readprototype_chain_traversalvm_sandbox_escapeconstructor_chain_traversal

$ ls tags/ techniques/

rce nodejs sandbox_escape javascript express decoy_flag formula_injection vm_sandbox prototype_chain

arbitrary_file_readprototype_chain_traversalvm_sandbox_escapeconstructor_chain_traversal

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 60 — CalcForge — RCE via Expression Evaluator Sandbox Escape— hackadvisor
[web][Pro]Lab 129 — ReqForge — RCE via VM Sandbox Escape— hackadvisor
[web][Pro]Lab 116 — InsightForge — IDOR via Undocumented Internal API— hackadvisor
[web][Pro]SendForge— hackadvisor
[web][Pro]MetricFlow— hackadvisor