search
HomeWriteupsResourcesCheatsheets

Templated

Templated HackTheBox Web Challenge Writeup by Thamizhiniyan C S

hashtag
Overview

Greetings everyone,

In this write-up, we will tackle Templated from HackTheBox.

Challenge link: Templatedarrow-up-right

Difficulty Level: Easy

Let's Begin 🙌

First start the instance and navigate to the given IP address.

hashtag
Information Gathering - Website

We got the response back as site under construction, with a message Proudly powered by Flask/Jinja2. From this we can devise that the server is made up of Flask and it uses Jinja2 template engine.

If we try to access a route which is not available, the server responds with a page not found error.

If we take a look at the error, we can see that the error has reflected the route which we tried to access. This might be vulnerable to template injection.

hashtag
Testing Template Injection

So I looked out for Jinja2 payloads and found the following website:

LogoPayloadsAllTheThings/Server Side Template Injection/README.md at master · swisskyrepo/PayloadsAllTheThingsGitHubchevron-right

I tried the Detection payload from the above website to check whether it is vulnerable to template injection.

I used Postman to send requests because it will be easy to modify and send the request each time.

As mentioned in the Detection section, the server thrown a Error. So this site is vulnerable to template injection.

hashtag
Generating the Payload and Exploiting the Vulnerability

Next I tried some random payloads from the site and found the following which worked:

When I tried one of the above mentioned payloads, It worked:

Next again I tried some of the payloads in the above section and found the following payload to be working:

Okay, now we are able to execute commands and get the output for those commands. So I modified the request to list the contents of the directory:

Modified Payload: {{ self.**init**.**globals**.**builtins**.**import**('os').popen('ls').read() }}

If we take a look at the response we can see the flag file flag.txt. This time I modified the payload to view the contents of the flag.txt file:

Modified Payload: {{ self.**init**.**globals**.**builtins**.**import**('os').popen('cat flag.txt').read() }}

And we got the flag…….

PreviousEasyNextDFIR

Last updated