N1CTF 2025

Web challenge writeups from N1CTF 2025 — a Node/Express chain: sha.js hash-rewind JWT forgery (CVE-2025-9288), path.extname filter bypass, path traversal, and EJS SSTI to RCE.

0 categories 1 note

Notes

1 total

eezzjs — sha.js hash-rewind JWT forgery (CVE-2025-9288) → path.extname bypass → EJS RCE

Forge an admin JWT without the secret by abusing sha.js 2.4.x update() rewind (a payload object with length:-45 cancels header+secret from the hash), bypass a /js/ extension filter with path.extname("x.ejs/.")===".", path-traverse the upload into views/, and render it via ?templ= for EJS SSTI RCE.

web web-server nodejs express jwt jwt-forgery +13