Handlebars.js 4.1.1 Server Side Template Injection exploitation – running system commands with a Node.js RCE when require() is not available?

I’m currently reading the following article and trying to exploit the vulnerability (Handlebars.js 4.1.1 Server Side Template Injection):


Sure enough, the proof of concept code works fine. Specifically, the final snippet from Matias works in my setup. However, after all those context changes, I no longer have access to the require keyword, and therefore I cannot do require('child_process').exec(), because it says require is not defined.

I tried looking for global variables in the current context which might help me, but found nothing.

I also considered copying the whole child_process library’s source code into my payload, but that’s not trivial, since the library uses other libraries and some specific variables, which are not initialized for me (primordials, for example).

In order to continue the assignment, I need to get a reverse shell on the target machine. How can I use the RCE to run system commands/get a reverse shell if I cannot use require()?

Can a wizard under the effects of Feign Death issue telepathic commands to their familiar?

A wizard has a summoned familiar within 100 feet that is currently idle and has Feign Death cast on them by another PC. Would the wizard still be able to issue telepathic commands to their familiar?

Specifically, while Feign Death states that they appear dead and are incapacitated and blind, they aren’t listed as being unconscious.

Find Familiar doesn’t state that issuing telepathic commands requires an action (which you can’t do while incapacitated), whereas it does state that seeing through your familiar’s eyes requires an action as does dismissing it.

I was DMing a game where this occurred and I hastily ruled that the wizard was unable to issue commands, but I am second guessing myself after the fact. And knowing my PCs this situation is likely to happen again.

When are verbal commands issued to conjured animals?

I’m losing a lot of actions by my (Druid) conjured animals, especially when there are lots of actions , and the battle is fluid.

So much changes during a turn, so that my verbal command (issued during my turn) has typically long since been obsoleted or is far less optimal. For example, an invisible enemy is exposed, or a charmed target needs to be hit, or an innumerable more circumstances arise.

Can I issue the “verbal command” on the conjured animals’ turn? Or does the verbal command need to be issued on my turn?

(And is the answer an “official” answer? The DM might overrule it anyways.)

Otherwise it’s like tossing the dice and hoping my command is still applicable at the time of their action.

Being a concentration spell makes it worse as it limits my actions enough as it is without the added pain of losing a turn as the animals do something not what needed to be done.

Thanks very much! Adrml S.

Retrieving a flag from vim commands by reading through strace output [CTF]

So, to clarify, I’m currently working on a CTF challenge that consists of running an strace over on a bash script that is running vim commands using commands like vim -c “:!cat flag.txt” inside of a bash script. For some clarity, this idea was heavily inspired by a CTF I did recently and here’s a writeup of what it looked like and did if you’d like to see what I’m really going for(https://github.com/Dvd848/CTFs/blob/master/2019_36C3_Junior/tracer.md). I’m not quite sure how to get the proper output from the vim commands to obfuscate the flag. I’d like it to recognize each keypress as reads and writes, but haven’t found a solid approach to accomplish this cleanly. Any suggestions would be highly appreciated. Essentially there would be an strace output where the flag could be seen being written using vim. I’m not 100% sure this can even be done properly through bash, so any suggestions would be very helpful!

Can you continue to issue new commands throughout the duration of Geas?

Inspired by this answer and the comment by @jgn, it made me dig deeper into the wording of the Geas spell, and how it doesn’t seem to tell you if you can only give commands at the beginning, delay the command for another time, or even continue giving additional/new commands. The beginning sentence seems to hint at a single command (emphasis mine on the singular nature of the wording):

You place a magical command on a creature that you can see within range, forcing it to carry out some service or refrain from some action or course of activity as you decide.

And also later:

You can issue any command you choose…

But in the middle when explaining what happens when it ignores you:

…it takes 5d10 psychic damage each time it acts in a manner directly counter to your instructions

which could have easily been made singular if it was a single command.

this answer to a different Geas question seems to say that it’s a singular command, but it’s not backed up by anything, and doesn’t say when you can issue the command.

So my question is: When do you / can you decide what command(s) the affected creature should follow?

how do I enter commands in Lubuntu

It runs ridiculously slow at times (like 10 minutes to open a browser page) I have not used Linux before and have no idea how to get to a “command prompt” or if that is even where I need to be but would like to try installing metacity as I saw that worked for someone who posted on this forum.

thanks, Tony

Ubuntu 18.04.3 doesn’t recognize 2. montor after running these commands

I executed these commands:

sudo bash -c "echo blacklist nouveau > /etc/modprobe.d/blacklist-nvidia-nouveau.conf"  sudo bash -c "echo options nouveau modeset=0 >> /etc/modprobe.d/blacklist-nvidia-nouveau.conf"  sudo update-initramfs -u  sudo reboot 

But after rebooting, my 2. monitor is black and Ubuntu is not able to detect it. I went to Settings->Devices->Display and now I can only see my main monitor and not my second. Before running these commands, everything worked. How can I redo this?

I ran this commands in reference to this post.

Want to log all user activites performed on ubuntu UI,terminal,Putty,WinSCP including commands executed with timestamp

For security measures, I want a log of all acivites of all users on ubuntu system. Even the activities performed from UI or by externally accessing device through Putty or WinSCP. For ex. if someone logs in through putty or WinSCP and deletes or creates a file then i should have all the information like which user logged in through which IP address and which file did he created or deleted.If it’s a command through terminal, then I want which user executed which command and when.If there doesn’t exist a log of this sort then I want a way to create such a log

Terminal command for getting information about the time and user of all the commands executed in all sessions of terminal

I want to know which user executed which command on terminal and when i.e. if any of the user does “rmdir abc” and removes a specific directory , i should know which command he executed and at what time.And i don’t want it for a single session, this data should be available to me like we maintain logs, so that i can analyze it for any point of time.

I tried the history command as well and also added time to it but it does not show “Users” of the command and also it is session based ,so it’s data does not get appended to ~/.bash_history file unless the session is exited. Also ~/.bash_history does not show time and user so it’s not usefull.Can anyone help me please.I just want to see which user executed which command from the moment the system is started and at what time.