HackTheBox - Server-side Attacks - Skills Assessment Walkthrough

Ido AbramovIdo Abramov
3 min read

Scenario

You are tasked to perform a security assessment of a client's web application. Apply what you have learned in this module to obtain the flag.

Walkthrough

Accessing the target URL redirects us to the next page:

After browsing the site for a bit, enable Burp's proxy intercept to monitor the HTTP requests.

When the main page loads, we can observe several POST requests being made:

These requests include an api parameter that contains a URL as its value.

The URL includes an address and a parameter named id with a value (%3D represents =). This value appears to be processed by the server, which returns a JSON response containing the id and a corresponding location.

The results are displayed directly on the main page of the web application:

We can test different values to confirm the presence of an SSRF vulnerability, for example localhost with port 80:

However, we can continue using the current URL and focus on the id parameter, which is particularly interesting as it reflects it’s value back to us:

Since the id parameter reflects it’s value back to us, it raises the possibility of another vulnerability - SSTI (Server-Side Template Injection). To test for this, we’ll try injecting a set of SSTI payloads (using resources like PayloadsAllTheThings) into the id parameter and observe the response for any signs of template injection behavior.

And we successfully triggered one:

This confirms an SSTI vulnerability, specifically triggered by {{3*3}}. This behavior suggests the template engine might be Twig or Jinja (since {{3*'3'}} also returned 9).

Let's test for Jinja template injection:

No results were returned.

Let’s try testing for Twig template injection next:

We successfully exploited the SSTI vulnerability and revealed the source code of index.php.

Next, we need Twig-specific payloads to execute commands on the server and retrieve the flag.

We will use the following payload:

{{['<COMMAND>']|filter('system')}}

First, list all files in the root directory using this payload:

{{['ls+/']|filter('system')}}

The error disappears when using ls alone, suggesting the issue might be related to the / directory. We also tried %20 (space), but the error persisted.

To bypass the space restriction, we can use the ${IFS} variable as a substitute for the space character.

The ${IFS} variable represents a space by default in Linux. We can use ${IFS} to bypass the space restriction and insert spaces in our commands.

{{['ls${IFS}/']|filter('system')}}

We can see it worked, successfully returning all directories and files in the root directory.

Now, we can see the flag.txt file, let’s view its contents:

{{['cat${IFS}/flag.txt']|filter('system')}}

And we got the flag 😉

0
Subscribe to my newsletter

Read articles from Ido Abramov directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Ido Abramov
Ido Abramov