YouTube video by Wes Roth

Researchers have uncovered a new strain of DDoS malware, named cShell, targeting poorly managed Linux servers.

Code Review Gunship is a Node.js application with a single API endpoint. A quick inspection of the package.json file revealed that it uses the Pug template engine leading me to believe it’s a Server-Side Template Injection (SSTI) challenge. However, there’s no parameter that we can pass to the template to test for an SSTI vulnerability. Let’s investigate further. router.post('/api/submit', (req, res) => { const { artist } = unflatten(req.body); if (artist.name.includes('Haigh') || artist.name.includes('Westaway') || artist.name.includes('Gingell')) { return res.json({ 'response': pug.compile('span Hello #{user}, thank you for letting us know!')({ user: 'guest' }) }); } // Code omitted for brevity }); Running npm install and npm audit not only revealed that the Pug version (3.0.0) used by the application is vulnerable to Remote Code Execution (RCE) , but also showed that the application uses a version of the flat package (5.0.0) that is vulnerable to Prototype Pollution . Now that we have identified vulnerabilities that we can chain together, let’s test the application and trace the code execution. Local Testing Let’s install nodemon and use the VS Code Debugger to run the application in debug mode. Going back to the code, the artist names Haigh, Westaway, and Gingell must be used to reach the Pug code. While stepping into the pug.compile function, I noticed that Pug defaults its options variable to an empty object if not provided—a potential point for prototype pollution. Now, let’s test the payload mentioned in this GitHub issue . Using Burp Suite Repeater, I resent the request to /api/submit with this payload: https://medium.com/media/7bb241eb54061575525a0ec22944ee72/href Well, that didn’t work. While trying to trace the code execution within the packages, I came across the variable ast. It must be referring to the Abstract Syntax Tree , right? I just learned about this concept recently while searching for open-source forks of a specific archived library on GitHub. After searching for "pug AST RCE" , I discovered a Medium article discussing AST injection . It details how Pug is vulnerable to RCE through AST injection. Now let’s test this payload: https://medium.com/media/e5f42732ea2e3eadb7b557afada3364e/href That worked! Now that we have a functioning payload, it’s time to exploit the vulnerability. Exploitation First, let's launch the Hack The Box Challenge instance. While that is in progress, let’s check the potential file path for the flag by examining the Dockerfile and entrypoint.sh. It should be formatted like this: /app/flagCCCCC, where each 'C' represents a random alphanumeric character. Since the file path of the flag contains random characters, let’s use the cp command with a wildcard to copy the flag to a location we can access — the static folder. https://medium.com/media/0fb0a5f6ead07e90858fbd2dbfb464b5/href Now let’s view the flag using the curl command. We have successfully captured the flag! References https://security.snyk.io/package/npm/flat/5.0.0 https://www.npmjs.com/package/nodemon https://code.visualstudio.com/Docs/editor/debugging https://github.com/pugjs/pug/issues/3312 https://rayepeng.medium.com/how-ast-injection-and-prototype-pollution-ignite-threats-abb165164a68 HTB Challenge Write-Up: Gunship was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Few websites actually respect the option, says Mozilla

Le nombre de cyberattaques dans le monde, mais aussi en France est en constante augmentation ces derniers mois. Au point qu’en France, une entreprise sur deux a subi au moins une cyberattaque complète et réussie en 2023. Un danger qu’elles ne peuvent plus ignorer, que ce soit pour leur propre avenir ou pour la

YouTube video by ThrasherMagazine

The 8Base ransomware group attacked Croatia's Port of Rijeka, stealing sensitive data, including contracts and accounting info.

​A Nebraska man pleaded guilty on Thursday to operating a large-scale cryptojacking operation after being arrested and charged in April.

Mandiant, a cybersecurity firm, has discovered a new way to get around browser isolation security technologies.

Docker/Kubernetes (K8s) Penetration Testing involves identifying and assessing security vulnerabilities within containerized environments…

DMM Bitcoin said that it planned to transfer all customer accounts and company assets to the crypto firm SBI VC Trade after a hacking incident in May.