/tags/node/ Recent content in node on Hugo -- gohugo.io en-us Sat, 11 Apr 2026 12:00:00 +0000 /writeups/fcsc-aquarium/ Sat, 11 Apr 2026 12:00:00 +0000 /writeups/fcsc-aquarium/ FCSC Aquarium | FCSC 2026 Challenge The challenge gives us the full source of a Dockerized Node.js web app that serves an animated aquarium page. There is a SUID binary /getflag that reads the flag from /root/flag.txt. Goal is obvious. Looking at the source Two services run inside the container via supervisord. The web app (server.mjs) is started with the Node.js permission model: node --permission --allow-fs-read=/ /usr/app/server.mjs The second one is a messages service (messages.