Rating: 5.0


The description of this challenge was :
"JavaScript Cleaning Service: Transform ugly JavaScript files to pretty clean JavaScript files!".

In the description there was also a python file to download with this code:

import os
import sys
import subprocess

def main(argv):
print("Welcome To JavaScript Cleaner")
js_name = input("Enter Js File Name To Clean: ")
code = input("Submit valid JavaScript Code: ")

js_name = os.path.basename(js_name) # No Directory Traversal for you

if not ".js" in js_name:
print("No a Js File")

with open(js_name,'w') as fin:

p = subprocess.run(['/usr/local/bin/node','index.js','-f',js_name],stdout=subprocess.PIPE);



The first thing I tried was to call the file with a random name and insert some javascript code to see what I would get.
All i got was a beautifier :


Looking in the python code i discovered that with the subprocess.run() is executing an external command where an "index.js" is taken, so i tried to call the file "index.js" and put some javascript, discovering that I had managed to inject it.


Now we have just to extract the flag , i did it injecting this code :
" const fs = require('fs');const a = fs.readFileSync('flag.txt', 'utf8');console.log(a) "

The flag is served :


Flag: flag{Js_N3v3R_FuN_2_Re4d}