webPromedium

Lab 63 — DataPulse — Insecure Deserialization via Preferences Cookie

hackadvisor

Task: DataPulse analytics dashboard with workspace preferences persisted in a base64-encoded cookie that is deserialized server-side using node-serialize's unserialize(). Solution: Inject _$$ND_FUNC$$_ IIFE payload into the preferences cookie to achieve RCE via child_process.execSync, reading /root/flag.txt.

$ ls tags/ techniques/

rce nodejs base64 express insecure_deserialization cookie_tampering honeypot_flag node_serialize iife child_process preferences_cookie

honeypot_flag_identificationnode_serialize_unserialize_iifend_func_function_injectioncommand_execution_via_child_process_execsynccookie_tampering_base64_encoded_payload

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 56 — DataPulse — XXE to SSRF via SVG Avatar Upload— hackadvisor
[web][Pro]Lab 59 — NetPulse — RCE via Command Injection in Network Diagnostics— hackadvisor
[web][Pro]DevPulse — CSRF via JSON Content-Type Bypass— hackadvisor
[web][Pro]Lab 186 — DataPulse — CORS Origin Validation Bypass— hackadvisor
[web][Pro]Lab 169 — GridPulse — Insecure Deserialization via Configuration Import— hackadvisor