Tags: web pollution astinjection

Rating:

The version of flat used seems to be vulnerable to prototype pollution, and we can find information on the payloads we can use, finding an example exploiting pug.

By having the exploit at hand, we can write a simple script which will send a POST request with the required song.name in the data, as well as with our payload.

The payload itself will allow us to do _Remove Code Execution_. More to the point, we will cat the flag file into the publically available /static/js folder, so we can navigate to it after the pollution exploit.

Original writeup (https://kblagoev.com/blog/blitzprop-cyberapocalypse-2021-ctf/).