Target Function

Overview

Before exploitation, plan the attack as action points to track progress and identify issues.

Attack Plan Checklist

Step

Status

Hit the validateString function

✅

Trace how input looks within function

✅

Obtain an admin role

⏳

Confirm we reach the eval function

⏳

Prepare the payload

⏳

Confirm payload reaches target as intended

⏳

Inject code and confirm injection

⏳

Reach command execution or file writing

⏳

Blindly verify command execution/file writing

⏳

Automate exploitation (write exploit)

⏳

Step 3: Obtain Admin Role

Real-World Methods

Method

Description

Privilege escalation

Exploit to elevate permissions

Authorization flow

Legitimate admin access

XSS/CSRF

Attack admin user

Brute force

Guess admin credentials

Request access

Ask client for admin account

Note: If no vuln exists, request admin account. Impact is lower (only affects admin users).

Our Case: Email-based Role

Looking at getUserToken:

{
    email,
    role: email.includes("@hackthebox.com") ? "admin" : "user",
}

Solution: Use @hackthebox.com email domain!

Get Admin Token

curl -s -X POST \
  -H "Content-Type: application/json" \
  -d '{"email": "test@hackthebox.com"}' \
  http://localhost:5000/api/auth/authenticate

Response:

{"token":"eyJhbGciOiJIUzI1N...SNIP...9R6zeoubrQTbUiThBpeQD7_DWibgo"}

Verify Role in JWT

Use jwt.io to decode:

{
  "email": "test@hackthebox.com",
  "role": "admin",  // ✅ Admin!
  "iat": 1700865256,
  "exp": 1700951656
}

Dynamic Verification (Debug)

Add breakpoint to line 30 (service-controllers.js)
Right-click role on line 17 → "Add to Watch"
Send request with admin token
Check WATCH pane → role: "admin"

✅ Step 3 Complete: Admin role obtained

Step 4: Reaching the Vulnerable Code

validateString Conditions

function validateString(input, onError) {
  if (
    typeof input !== "string" ||  // Condition 1
    input.length == 0 ||          // Condition 2
    input.match(/['"`;]/g)        // Condition 3
  ) {
    eval(onError);  // ← We need to reach here
    return false;
  }
  return true;
}

Condition Analysis

Condition

Triggers eval?

Input in onError?

Not a string

✅

❌ No control

Empty string

✅

❌ No control

Bad characters

✅

✅ Yes!

Must use Condition 3 - only way to have input in onError.

Bad Characters

/['"`;]/g

Char

Effect

'

Breaks strings

"

Breaks strings

Breaks template literals

;

Safest - doesn't break onError string

Test with Semicolon

curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <ADMIN_TOKEN>" \
  -d '{"text": ";"}' \
  http://localhost:5000/api/service/generate

Response:

{"message":"The input \";\" contains the following invalid characters: [;]"}

What This Confirms

✅ We reached the eval function
✅ onError string evaluated successfully
✅ We see the verbose admin error message
✅ Our input (;) appears in the message

✅ Step 4 Complete: Reached vulnerable code

Updated Checklist

Step

Status

Hit the validateString function

✅

Trace how input looks within function

✅

Obtain an admin role

✅

Confirm we reach the eval function

✅

Prepare the payload

⏳

Confirm payload reaches target as intended

⏳

Inject code and confirm injection

⏳

Reach command execution or file writing

⏳

Blindly verify command execution/file writing

⏳

Automate exploitation (write exploit)

⏳

Current Attack Flow

1. Get admin token (@hackthebox.com email)
         ↓
2. Send request with bad character (;)
         ↓
3. validateString fails condition 3
         ↓
4. eval(onError) is called
         ↓
5. Our input is in onError via ${text}
         ↓
6. Verbose error returned (admin only)

Next Steps

Prepare payload - Inject code without breaking syntax
Confirm injection - Verify code executes
Achieve RCE - Execute system commands
Verify blindly - Confirm execution without output
Write exploit - Automate the process

Key Takeaways

Plan before exploit - Track progress, identify issues early
Understand conditions - Know exactly how to reach vulnerable code
Choose input wisely - ; triggers eval without breaking string
Verify each step - Don't skip ahead, confirm before proceeding
Use debugger - Watch variables to verify understanding

PreviousEval Injection NextCode Injection

Last updated 1 month ago

hashtagOverview

hashtagAttack Plan Checklist

hashtagStep 3: Obtain Admin Role

hashtagReal-World Methods

hashtagOur Case: Email-based Role

hashtagGet Admin Token

hashtagVerify Role in JWT

hashtagDynamic Verification (Debug)

hashtagStep 4: Reaching the Vulnerable Code

hashtagvalidateString Conditions

hashtagCondition Analysis

hashtagBad Characters

hashtagTest with Semicolon

hashtagWhat This Confirms

hashtagUpdated Checklist

hashtagCurrent Attack Flow

hashtagNext Steps

hashtagKey Takeaways