Templated
Templated HackTheBox Web Challenge Writeup by Thamizhiniyan C S
Overview
Greetings everyone,
In this write-up, we will tackle Templated from HackTheBox.
Challenge link: Templated
Difficulty Level: Easy
Let's Begin 🙌
First start the instance and navigate to the given IP address.
Information Gathering - Website
We got the response back as site under construction, with a message Proudly powered by Flask/Jinja2. From this we can devise that the server is made up of Flask and it uses Jinja2 template engine.
If we try to access a route which is not available, the server responds with a page not found error.
If we take a look at the error, we can see that the error has reflected the route which we tried to access. This might be vulnerable to template injection.
Testing Template Injection
So I looked out for Jinja2 payloads and found the following website:
I tried the Detection payload from the above website to check whether it is vulnerable to template injection.
I used Postman to send requests because it will be easy to modify and send the request each time.
As mentioned in the Detection section, the server thrown a Error. So this site is vulnerable to template injection.
Generating the Payload and Exploiting the Vulnerability
Next I tried some random payloads from the site and found the following which worked:
When I tried one of the above mentioned payloads, It worked:
Next again I tried some of the payloads in the above section and found the following payload to be working:
Okay, now we are able to execute commands and get the output for those commands. So I modified the request to list the contents of the directory:
Modified Payload: {{ self.**init**.**globals**.**builtins**.**import**('os').popen('ls').read() }}
If we take a look at the response we can see the flag file flag.txt. This time I modified the payload to view the contents of the flag.txt file:
Modified Payload: {{ self.**init**.**globals**.**builtins**.**import**('os').popen('cat flag.txt').read() }}
And we got the flag…….
Last updated
