webPromedium

Lab 122 — BuildStream — RCE via Expression Sandbox Escape

hackadvisor

Task: CI/CD pipeline platform evaluates {{ expression }} syntax in step configurations using Node.js vm module sandbox. Solution: Classic vm sandbox escape via constructor chain traversal (this.constructor.constructor) to break out of sandbox, access process.mainModule, require child_process, and read /root/flag.txt.

$ ls tags/ techniques/

command_injection rce nodejs javascript nginx express decoy_flag vm_sandbox prototype_chain cicd pipeline template_expression

expression_injectionfile_read_via_rcevm_sandbox_escapeconstructor_chain_traversaldecoy_flag_recognition

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 129 — ReqForge — RCE via VM Sandbox Escape— hackadvisor
[web][Pro]Lab 54 — PulseGuard — RCE via node:vm Sandbox Escape— hackadvisor
[web][Pro]Lab 312 — BuildStream — Zip Slip Path Traversal in Artifact Upload— hackadvisor
[web][Pro]Lab 380 — BuildStream — RCE via Malicious npm Package Preinstall Script— hackadvisor
[web][Pro]Lab 320 — BuildForge — Path Traversal to RCE via CLI @File Expansion— hackadvisor