PatriotCTF 2024 Blob Writeup

This article contains my writeup for the PatriotCTF 2024 Blob challenge. Challenge notes blob says: blob http://chal.competitivecyber.club:3000 flag format: caci{.*} author: caci Files Screenshot of the rendered index in a browser The challenge comes with two files: Express1 server in index.js Embedded JavaScript template (EJS)2 in views/index.ejs Here’s what’s in the index.js file: // index.js require("express")() .set("view engine", "ejs") .use((req, res) => res.render("index", { blob: "blob", ...req.query })) .listen(3000); The views/index.js template contains the following: <!DOCTYPE html> <html lang="en"> <head> <title>Blob</title> <style> /* … styles omitted */ </style> </head> <body> <main> <div id="blobfish"></div> <div id="chat">blob say: <%= blob %></div> <!-- … --> </main> </body> </html> Notice the <%= blob %> part allowing you to inject arbitrary content via ...req.query in index.js. Template injection EJS templates like the one used here are susceptible to template…