Welcome to another Hack the Box write-up! If you have read my previous write-up on the BabyEncryption cryptography challenge, then you know how big of a fan I am of Hack the Box. Websites like Hack the Box have helped me and many others gain real-world experience within cybersecurity in a safe and ethical way. While there are several websites that provide challenges, Hack the Box is my personal favorite but does probably land on the high end of the difficulty scale. While Hack the Box is not always the most beginner friendly with the challenges, I believe it provides a more “real-life” hacking experience. However, if you are not afraid of doing some research on your own, then it can also be a great way to learn and sharpen your cybersecurity skills. This is why I look to create technical write-ups to not only document information that I find, but hopefully to help others that need helpful hints and guidance while learning new skills.
The challenge being discussed today is called ‘Templated” and it is located under the web sub-section within challenges section of the platform. I believe that this challenge also provides a great introduction into what web application penetration testing could look like.
Once I started the challenge, I was presented with a url that pointed to a docker container running the target web application. Upon visiting the url, I could see the website as shown below:
At first, it doesn’t look like much and it almost makes you think that there can’t possibly be a vulnerability on such a simple webpage, right? But remember, this is Hack the Box and there is always more than meets the eye. To move forward with this challenge, the only information that we are presented with is that the website is “Proudly powered by Flask/Jinja2”. For those who may not be aware, Flask is a framework for building APIs and web applications in Python and Jinja2 is a templating engine that allows python code to be inserted into a standard webpage. While this might be useful for a developer, we will see that this can also cause security issues which can be very dangerous. I also recommend doing some additional research on these technologies if you are curious. My initial research when tackling this challenge which brought me across this article on server-side template injection (SSTI) with Flask, which was a big help in solving this challenge.
The first step here was to try some different routes for this url and see what comes back. You could start by using a tool known as a ‘fuzzer’ that would automate trying many different common routes to see what you can find. However, before we resort to a specialized tool, I always like to try a few common routes. Sure enough, I was able to get something interesting by trying a simple ‘/test’ route.
Here we can see that the url that we have entered ends up on the page as a string. This is quite interesting because we know that any data inserted into the page is likely coming from Python. Therefore, this could be a great place to start inserting some python code to see if we can get some code execution. Again, if you are not familiar with python templating engines, python code is typically inserted by using a special “syntax” to mark that the code is supposed to be executed by python. In the case of Jinja, the syntax is “{{}}”, where anything inside the double curly brackets will be evaluated by python before appearing in the HTML of the webpage. Armed with this knowledge, we can use a favorite tool of mine, CyberChef, to create url encoded strings. This way, the data we are looking to send doesn’t get misinterpreted.
We can see here that we are just looking to test a simple math calculation to see if we can get the python server to do things. Sure enough, we see the response that we are looking for! The server has evaluated 7*7 to 49.
So what, we did some math? While this doesn’t seem like much at first, we can now exploit this ability to access some of the more juicy areas of python. For example, if we change our math equation to looking for the following:
{{config.items()}}Then we get a really nice response:
This is due to the default setup for Flask which provides a config object for web applications. You can read more about that in the Flask documentation. However, by making function call to get all the items on the config object, as shown above, we can see all sorts of information about this application. This can include things such as the Secret Key, which could be used for forge authentication with this application. If this isn’t dangerous enough, it is just as easy to modify the configuration of the application itself! An example of this might look something like:
config.update(
TESTING=True,
SECRET_KEY='pwnd'
)Now we are starting to understand how dangerous this vulnerability can be, but let’s push a little further to complete the challenge. In order to explore the depths of this danger-zone, we need to look for a special class in python which has a function called “Popen”. This function will not only give us code execution in python, but will actually allow us to run any specified command on the host machine itself and return the results (yikes)! This function is a bit hidden, but here is how you find it.
First, we can use an empty string “” to allow us to access the “__class__” attribute. This “__class__” attribute then has a special attribute “__mro__”, which itself contains a list of objects. We can access the second object using an index of 1, and then call the “__subclasses__” method on that object. Whew, that was a lot, but if you made it through, you can see what that looks like below:
Inserting that into our browser will return a massive result with hundreds of subclasses that provide different functionalities. As stated previously, we are looking for “Popen”.
Due to the number of results, it is easier to narrow down the results using a list slice as shown below. Here we should be returning everything at index 400 to the end of the list.
Finally, we can see that “Popen” is there at index 414.
Now that we know where this function is, we can use cyberchef to create a url payload that should give us access to the host machine itself!
All we are looking to do here is list all the files in the current directory and see what comes back. Upon entering this into the url, we get the following:
We can see that all the directories and files on this machine are then listed for our convenience, albeit not very reader-friendly. Now we are then free to explore any all data on this machine and if you notice, there is a named “flag.txt”. To complete our challenge all we need to do is use the “cat” command to read the file and capture that flag!
Of course, I am not going to post the real flag; you can solve this challenge and get the flag for yourself! However, I hope that you have learned some useful tricks from this article. Stay tuned for the next Hack The Box write up!