Pacman

Description

Hi Hacker! I need your help! I've built a Pacman game for my website and now I see suspicious activity on my > server, I suspect that the code I wrote is vulnerable for something...

Can you take over my server and locate the flag?

http://pacman.challenges.bsidestlv.com/

The following source code was attached:

Solution

The attached source file contains the logic we need in order to pass the jwt.verify check successfully, so let's start with that.

The JWT token uses a key generated by generateKey(). The ingredients are just the day/month/year and a hardcoded string, so we can easily replicate the key.

Then, we just need to encode the payload { "isAdmin": "1" }.

The following node script does that:

The result:

Now we just mix in the user-agent, and we get:

This is good, but what do we do with this?

We can try to level up a few times, see if we get anywhere:

That was fun, but not enough.

Notice how /levelUp is using exec('./levelup ' + level, ...) to perform its logic. What if we piggyback this and send another command to be executes as well?

Our "ls" was executed right after ./levelup 8;.

Let's continue to look around:

Found the flag, let's print it: