Templated | HackTheBox Walkthrough
The first step here was to try some different routes for this url and see what comes back. You could start by using a tool known as a ‘fuzzer’ that would automate trying many different common routes to see what you can find. However, before we resort to a specialized tool, I always like to try a few common routes. Sure enough, I was able to get something interesting by trying a simple ‘/test’ route.
Here we can see that the URL that we have entered ends up on the page as a string. This is quite interesting because we know that any data inserted into the page is likely coming from Python. Therefore, this could be a great place to start inserting some Python code to see if we can get some code execution. Again, if you are not familiar with Python templating engines, python code is typically inserted by using a special “syntax” to mark that the code is supposed to be executed by Python. In the case of Jinja, the syntax is “{{}}”, where anything inside the double curly brackets will be evaluated by Python before appearing in the HTML of the webpage. Armed with this knowledge, we can use a favorite tool of mine, CyberChef, to create URL-encoded strings. This way, the data we are looking to send doesn’t get misinterpreted.
We can see here that we are just looking to test a simple math calculation to see if we can get the Python server to do things. Sure enough, we see the response that we are looking for! The server has evaluated 7*7 to 49.
So what, we did some math? While this doesn’t seem like much at first, we can now exploit this ability to access some of the more juicy areas of Python. For example, if we change our math equation to look for the following:
{{config.items()}}Then we get a really nice response:
This is due to the default setup for Flask which provides a config object for web applications. You can read more about that in the Flask documentation. However, by making a function call to get all the items on the config object, as shown above, we can see all sorts of information about this application. This can include things such as the Secret Key, which could be used for forge authentication with this application. If this isn’t dangerous enough, it is just as easy to modify the configuration of the application itself! An example of this might look something like:
config.update(
TESTING=True,
SECRET_KEY='pwnd'
)Now we are starting to understand how dangerous this vulnerability can be, but let’s push a little further to complete the challenge. To explore the depths of this danger zone, we need to look for a special class in Python that has a function called “Popen”. This function will not only give us code execution in Python but will allow us to run any specified command on the host machine itself and return the results (yikes)! This function is a bit hidden, but here is how you find it.
First, we can use an empty string “” to allow us to access the “__class__” attribute. This “__class__” attribute then has a special attribute “__mro__”, which itself contains a list of objects. We can access the second object using an index of 1, and then call the “__subclasses__” method on that object. Whew, that was a lot, but if you made it through, you can see what that looks like below:
Inserting that into our browser will return a massive result with hundreds of subclasses that provide different functionalities. As stated previously, we are looking for “Popen”.
Due to the number of results, it is easier to narrow down the results using a list slice as shown below. Here we should be returning everything at index 400 to the end of the list.
Finally, we can see that “Popen” is there at index 414.
Now that we know where this function is, we can use cyberchef to create a url payload that should give us access to the host machine itself!
All we are looking to do here is list all the files in the current directory and see what comes back. Upon entering this into the URL, we get the following:
We can see that all the directories and files on this machine are then listed for our convenience, albeit not very reader-friendly. Now we are then free to explore all the data on this machine and if you notice, there is a named “flag.txt”. To complete our challenge all we need to do is use the “cat” command to read the file and capture that flag!
Of course, I am not going to post the real flag; you can solve this challenge and get the flag for yourself! However, I hope that you have learned some useful tricks from this article. Stay tuned for the next Hack The Box write-up!
