blob: dd7661cc4669b36cc354eefc0f2eaf78b8356279 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
Literally RCE as a service with training wheels.
Get to dynamically dispatch a C# function from JSON descripiton.
Even the type string is returned to you in the service exception output.
Once you have code execution its a matter of making the flag accessible
through another endpoint, since the program expects an Image return type,
but GetUser returns a String, so an exception is thrown, preventing
you from getting the output directly in the HTTP response.
We move the flag to wwwroot/js/flag.js. Need the extension, since
otherwise the strict web router will not allow us to download it.
|
