webPromedium

Lab 129 — ReqForge — RCE via VM Sandbox Escape

hackadvisor

Task: Express.js API testing platform executes user-supplied JavaScript in a Node.js vm sandbox for pre-request/post-response scripts. Solution: Escaped the vm sandbox via constructor chain traversal (this.constructor.constructor) to access the main context's process object, then used require('fs') to read /root/flag.txt.

$ ls tags/ techniques/

rce nodejs sandbox_escape javascript express decoy_flag vm_sandbox prototype_chain constructor_chain

decoy_flag_identificationvm_sandbox_escapeconstructor_chain_traversalfile_read_via_require_fsprototype_chain_abuse

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 122 — BuildStream — RCE via Expression Sandbox Escape— hackadvisor
[web][Pro]Lab 319 — PageForge — Chained Path Traversal to RCE via Asset Bundler— hackadvisor
[web][Pro]Lab 60 — CalcForge — RCE via Expression Evaluator Sandbox Escape— hackadvisor
[web][Pro]Lab 29 — PackForge — Path Traversal to RCE via Template Injection— hackadvisor
[web][Pro]Lab 134 — DocForge — FreeMarker SSTI Sandbox Escape via ?api Built-in— hackadvisor