Node-RED

Prompt

There is word that liber8tion left a backdoor inside their vacuum cleaner. Can you find it?

Walk-Through

This challenge is running a Node-RED server which is a popular “low-code” development tool. You can use Node-RED to define workflows and processes for both industrial automation and home automation purposes.

You can sign into the Node-RED server by using the provided credentials and inspecting the flow configuration which details the automation logic and functionality.

Node-RED flow configuration
Node-RED flow configuration

In reviewing the nodes, you’ll find that one of the nodes has a [post] /vacuum label which is in line with the challenge prompt about a backdoor in the vacuum cleaner. Click on that node to view its details on the right-hand side toolbar.

[post] /vacuum node details
[post] /vacuum node details

This node indicates to us that we can potentially inject an arbitrary command using the backdoorCommand field in the request body. From here, you’ll want to inspect the remaining nodes to understand what other logic happens. Click on the next node in the chain that’s labeled “switch”.

switch node details
switch node details

In this “switch” node, it lays out the logic for how to process the payload.backdoor property. The rules configured here states that it shall take “path 0” if the payload.backdoor field is equal to (t: "eq") the value “true” (v: "true") where the value’s type is a string (vt: "str"). Otherwise if the payload.backdoor field is null, then it’ll take “path 1”. In this case, path 0 leads to a backdoor command execution flow whereas path 1 leads to the normal behavior of controlling the power function of the vacuum.

switch node flow paths
switch node flow paths

Now that we know we need to set the backdoor field to "true" and the backdoorCommand field is the actual command itself, we can then craft a custom request with a payload to extract the flag.

curl \
  -H 'Content-Type: application/json'
  -d '{"backdoor": "true", "backdoorCommand" : "ls /" }'
  [hostname]/vacuum

Questions

How many nodes are in this flow?

Count the number of nodes (represented as rectangles) in the flow configuration diagram above

What input data format does the application accept?

Review the documentation for Node-RED to identify what Content-Type it accepts

What is the flag?

Extract flag.txt by running the backdoor command cat /flag.txt

©️ 2024 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.