Template Shack

Web [150 pts]

Description: Check out the coolest web templates online!

When we first visit the site we are greeted with a normal dashboard and seems to use a template engine. So we know our exploit will involve templates.

One useful information is the JWT, when decoded, gives this:

So we know it is using HS256 and if we want to elevate our privileges, we need our username to be admin. HS256 can be brute forced if it has a weak secret, so trying that with JTR, we receive the signature secret:

Changing the JWT username to “admin” and verifying it with our secret will allow us to access the admin panel.

An interesting find when we visit a 404 page on the side navbar:

Since it is printing us /admin/charts.html, we can try to use this as an injection point for SSTI.

Using the payload {{config}}, we leak information about the application:

Using this payload, we are able to see the current files in the directory:

{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}

Now we do see a flag.txt, so we simply change the ‘ls’ to cat the flag:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s