Tags: web pollution astinjection 


The version of `flat` used seems to be vulnerable to prototype pollution, and we can find information on the payloads we can use, finding an example exploiting `pug`.

By having the exploit at hand, we can write a simple script which will send a POST request with the required `song.name` in the data, as well as with our payload.

The payload itself will allow us to do _Remove Code Execution_. More to the point, we will cat the flag file into the publically available `/static/js` folder, so we can navigate to it after the pollution exploit.

Original writeup (https://kblagoev.com/blog/blitzprop-cyberapocalypse-2021-ctf/).