Web [150 pts]
Description: Check out the coolest web templates online!
When we first visit the site we are greeted with a normal dashboard and seems to use a template engine. So we know our exploit will involve templates.
One useful information is the JWT, when decoded, gives this:
So we know it is using HS256 and if we want to elevate our privileges, we need our username to be admin. HS256 can be brute forced if it has a weak secret, so trying that with JTR, we receive the signature secret:
Changing the JWT username to “admin” and verifying it with our secret will allow us to access the admin panel.
An interesting find when we visit a 404 page on the side navbar:
Since it is printing us /admin/charts.html, we can try to use this as an injection point for SSTI.
Using the payload {{config}}, we leak information about the application:
Using this payload, we are able to see the current files in the directory:
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
Now we do see a flag.txt, so we simply change the ‘ls’ to cat the flag:
