Updater

S C E N A R I O
A Linux server hosts a Node.js application designed to check installed Composer versions using live data from an external API. The application fetches version data, filters it using user-supplied JSONPath expressions, and compares semantic versions using the semver library. The system is exposed to privileged access, and a MySQL database leak has already allowed lateral movement to a user with sudo privileges. The final Node.js script is executed with elevated permissions, making it a critical target for exploitation.

However, the application uses an unsafe JSONPath evaluation library (jsonpath-plus) that allows attacker-controlled expressions to reach dangerous evaluation contexts. This creates a potential code execution vector through crafted JSONPath queries.

O B J E C T I V E
Exploit unsafe JSONPath evaluation in a Node.js application to achieve arbitrary code execution. Leverage the vulnerability in jsonpath-plus to execute system commands and escalate privileges by modifying system binaries (e.g., setting SUID on /bin/bash). Finally, use elevated privileges to retrieve the flag.
Flag Format: Flag{}

Infrastructure Web Terminal
Provided Files Acess to the machine 
Tools Linux Terminal, Hashcat, Browser
Flag Format Flag{}