In many versions of the "Moan Shop" challenge, the vulnerability is .
The application uses a vulnerable library (like lodash or merge-deep ) to combine user input into a configuration object. moanshop.7z
An attacker sends a JSON payload containing the __proto__ key. This allows them to inject properties into the global object prototype, effectively changing the behavior of the entire application. 3. From Pollution to Remote Code Execution (RCE) In many versions of the "Moan Shop" challenge,
Once the attacker can "pollute" the global object, they target specific application behaviors to gain control: This allows them to inject properties into the
In this challenge, participants are presented with a compressed archive ( .7z ) containing the source code for a fictional online storefront called "Moan Shop." The objective is to identify and exploit vulnerabilities within the application to retrieve a hidden "flag"—a specific string of text that proves the system was successfully breached.
Triggers a system command (e.g., cat /flag.txt ) to read the secret flag.