webPromedium

Lab 227 — InsightPulse — Flight Protocol Deserialization to RCE

hackadvisor

Task: InsightPulse analytics platform with custom React Flight protocol parser where recursive merge in the flight decoder does not filter __proto__, enabling prototype pollution. Solution: Pollute Object.prototype.client=true and Object.prototype.escape with IIFE payload via two Flight requests to trigger EJS client+escape gadget chain for RCE, exfiltrating flag via thrown Error.

$ ls tags/ techniques/

nodejs ejs prototype_pollution express decoy_flag flight_protocol rsc honeypot_flag react_server_components recursive_merge multipart

error_based_data_exfiltrationejs_client_escape_gadget_chainprototype_pollution_via_recursive_mergeflight_protocol_abuseiife_injection

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 385 — SprintForge — Prototype Pollution to RCE via React Flight Protocol— hackadvisor
[web][Pro]Lab 36 — PulseBoard — Prototype Pollution to RCE via EJS— hackadvisor
[web][Pro]Lab 349 — InsightPulse — Prototype Pollution to RCE via TSQL Query Engine— hackadvisor
[web][Pro]Lab 322 — NetPulse — IP Spoofing to RCE via Polling Agent API— hackadvisor
[web][Pro]Lab 240 — DeployForge — Prototype Pollution to RCE via Lodash Merge— hackadvisor