-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathserver.js
More file actions
107 lines (94 loc) · 4.23 KB
/
server.js
File metadata and controls
107 lines (94 loc) · 4.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
const express = require('express');
const multer = require('multer');
const path = require('path');
const upload = multer();
const app = express();
const PORT = 5555;
// Middleware
app.use(upload.any());
app.use(express.urlencoded({ extended: true }));
app.use(express.json());
app.use(express.static(path.join(__dirname, 'public')));
app.use((req, res, next) => {
res.setHeader('X-Creator', 'https://x.com/yz9yt');
next();
});
// Vulnerable Endpoint
// Vulnerable Endpoint
app.post('/', (req, apiRes) => {
console.log('[CTF] Received POST request');
try {
// In the real vulnerability, the payload comes in as a multipart form field
// which contains a JSON string.
// Based on the walkthrough curl, it's in field "0".
const rawPayload = req.body['0'];
if (rawPayload) {
console.log('[CTF] Raw payload found');
const payload = JSON.parse(rawPayload);
// Navigate the object structure to find the injection point
// Payload structure from walkthrough:
// { ..., "_response": { "_prefix": "CODE_TO_EXECUTE", ... } }
const codeToExecute = payload?._response?._prefix;
if (codeToExecute) {
console.log(`[CTF] ⚠️ Executing injected code: ${codeToExecute}`);
// ---------------------------------------------------------
// 🚨 REAL RCE EXECUTION 🚨
// ---------------------------------------------------------
// This will actually run the code.
// The payload usually throws a specific error to return data.
try {
// The payload in the walkthrough is:
// var res=...execSync('echo $((1337*2))')...; throw Object.assign(...)
const result = eval(codeToExecute);
} catch (e) {
// The exploit relies on throwing a "NEXT_REDIRECT" error
// to leak the result via the digest property.
if (e.message === 'NEXT_REDIRECT' && e.digest) {
const digest = e.digest;
// format: NEXT_REDIRECT;push;/login?a=2674;307;
console.log(`[CTF] 💥 EXPLOIT SUCCESSFUL! Caught redirect digest: ${digest}`);
// Extract the "leaked" value (the result of the calc)
// It's after "/login?a=" and before the next semicolon
const match = digest.match(/a=(.*?);/);
const result = match ? match[1] : 'unknown';
apiRes.setHeader('X-Action-Redirect', `/dashboard?session=${result}&admin=true`);
apiRes.setHeader('Location', `/dashboard?session=${result}`);
apiRes.status(303).json({
status: "REDIRECT",
destination: "/dashboard",
leaked_data: result
});
return;
}
throw e; // rethrow if it's not our expected exploit error
}
}
}
} catch (err) {
console.error('[CTF] Error processing request:', err.message);
}
// Default response if no exploit worked
console.log('[CTF] Request received, but no valid exploit payload executed.');
apiRes.status(401).json({
error: "Unauthorized",
message: "Invalid credentials or request format."
});
});
// Fallback for SPA
app.get('*', (req, res) => {
res.sendFile(path.join(__dirname, 'public', 'index.html'));
});
app.listen(PORT, () => {
console.log(`
██████╗ ████████╗███████╗
██╔════╝ ╚══██╔══╝██╔════╝
██║ ██║ █████╗
██║ ██║ ██╔══╝
╚██████╗ ██║ ██║
╚═════╝ ╚═╝ ╚═╝
🏁 CTF CHALLENGE STARTED
👉 Listening on http://localhost:${PORT}
🛡️ Simulating: CVE-2025-55182 (Next.js/RSC)
🐦 Creator: https://x.com/yz9yt
`);
});