Description
Plattform: TryHackMe
Link: https://tryhackme.com/room/codeanalysis
Difficulty: Medium 🟠
Codeanalysis
import express from "express";
import yaml from "js-yaml";
import fs from "fs";
import { attachWebSocket } from "../websocket.js";
const Router = express.Router();
const isYaml = (filename) => filename.split(".").pop() === "yaml";
Router.post("/", (req, res) => {
let file_path = req.body.file_path;
const filePath = `./public/${file_path}`;
if (!isYaml(filePath)) {
res.status(500).json({
status: "error",
message: "Not a YAML file path.",
});
return;
}
fs.readFile(filePath, "utf8", (err, data) => {
if (err) {
res.status(500).json({
status: "error",
message: "Failed to read the file.",
});
return;
}
res.status(200).send(yaml.load(data));
attachWebSocket().of("/yaml").emit("yaml", "YAML data has been processed.");
});
});
export default Router;This router is based on the POST request type and uses a function called isYaml() to check whether the file parameter (here file_path) is a YAML file or not. If the return value is „Yes,“ the file is read, and the JavaScript data is returned to the client at the /yaml path.
Check the webpath from the attachWebSocket
Since this is a GET request, you will not receive the correct response. Use Burp Suite to change the request from GET to POST and insert the file_path string.
{"file_path":"test.yaml"}
But now you can try it with the number override.
From the response, you can extract the order number: 937.
If you use the file path from the response and request the path api/Nonstromo, you will get the first flag.
If you now check the webpage, you can see that it has changed.
Using the arrow keys, you can reveal the next flag.
When checking the code, you can find the following line:
„Kindly visit nostromo & yaml route first.“
Since both APIs have already been accessed, you can now check if you can retrieve the contents of secret.txt.
As a response, you receive the path to Mother’s Secret: /opt/m0th3r
With this path, you can use path traversal via the API to reveal the final flag:
Flag{Ensure_XXXXXXXXXXXXXXXXXXXXXXXXX}
Mit den Pfeiltasten können wir uns die nächste Flag nazeigen lassne.
Wenn wir uns den Code anschauen, können wir folgende Zeile finden: „Kindly visit nostromo & yaml route first.“
Da wir beide APIs bereit angesprochen haben, können wir nun schauen ob wir den Inhalt der secret.txt bekommen.
Als Antwort bekommen wir den Pfad zu Mothers Secret: /opt/m0th3r
Mit dem Pfad können wir über die API via PATH Traversal die Flag anzeigen: Flag{Ensure_return_of_organism_meow_meow!}
