if (history.isAdmin == true) { res.status(200).send(myLoaction)
} else { res.status(200).send(history) } })
If we want to get the flag, we must set the value of isAdmin to true but in general, we cannot. But prototype pollution occur in Object.assign(). We can set the value of isAdmin property to true using the this issue.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
POST / HTTP/1.1 Host: chall.nitdgplug.org:30230 Content-Length: 83 Content-Type: application/json Connection: close
The vulnerability occurs in the code above. The reason is the wrong way to pass the second argument of render(). If an argument is passed as above, LFI is generated. More information can be found here. Try the analysis yourself. I knew this about 10 months ago. So as soon as I saw the code, I knew immediately.
So, looking closely at the code, I saw that haproxy was being used, and the proxy setting was set to deny requests to /admin. However, the ā-iā option of the acl flag was not set, so the proxy was case-sensitive. So I bypassed it using this