redpwnCTF 2020 misc
The Source Code
The main function call in this program is
const result = vm.runInNewContext(input)
This means that whatever input we give the binary, it will run it in a new context, of course, without any filters.
I'm not too familiar with nodejs nor node vm modules so I searched up
node vm security and I found an article on Pwnisher Blog called
Sandboxing NodeJS is hard, here is why . It basically is set up almost identical to this challenge. By modifying the payload a bit I got:
const process = this.constructor.constructor('return this.process')();process.mainModule.require('child_process').execSync('cat /ctf/flag.txt').toString()
Since we know the flag location from the hint, we can just put that in.