VirtualEscape

MediumWeb Security

Overview

You've been granted access to a web application that renders custom templates. It looks simple. The developers were careful they read the right articles and put protections in place. They were almost right. Somewhere between what the application accepts and what it ultimately executes, there is a gap. Not in a library, not in the server but in the developer's mental model of their own defenses. Trace the journey your input takes from entry to output. Somewhere along that path, the rules break down. The flag is on the server. The key is hiding in plain sight.

Flag format: flag{}

Lab Details

Prerequisites & Requirements

Advanced understanding of JavaScript runtime internals
Deep knowledge of Node.js module system and require() mechanics
Familiarity with Pug template engine syntax and compilation process
Experience with Server-Side Template Injection exploitation techniques
Understanding of VM sandboxing concepts and limitations
Knowledge of string obfuscation and filter bypass methodologies

What will you learn?

Advanced SSTI exploitation in Pug template engine
Node.js internal object traversal techniques for RCE
Sophisticated filter bypass using string manipulation
Deep understanding of the require() function's internal mechanisms
VM2 sandbox limitations and pre-compilation injection points
Complex payload construction for data exfiltration scenarios

Tools

Web browser with developer tools for request inspection
HTTP intercepting proxy (Burp Suite/OWASP ZAP) for request manipulation
Webhook service (webhook.site) for out-of-band data retrieval
Node.js REPL for understanding internal object structures

Job Positions

Bug Bounty Hunter

VirtualEscape

Overview

Lab Details

Job Positions

Tags