tsustyle

Aspiring Red Team

Template Shack

less than 1 minute read

img

img

Nothing out of place. Checking the cookies we see what looks to be a JSON Web Token

img

jwt.io confirms that it’s a JWT and it’s using HS256 as the hashing algorithm. Let’s see if we can forge our own by cracking this one.

img

Using jwt-tool to crack the key

img

Time to forge our own admin JWT:

img

By changing the cookie value to our new JWT, we’ve accessed the admin account

img

Nothing seems to work here, and the only two options that do work kick back a 404.

img

Interesting. The URL that’s causing the error seems to be reflected on the page. Seems like we can control it.

Since the name of the challenge is ‘Template Shack’, let’s jump right into template injection

img

img

Template injection is a go!

Starting with

img

we can look for the 'subprocess.Popen' class

img

we need it’s exact index in the list. Let’s use slicing to find it:

img

By continuously slicing higher indicies, we can track down exactly where subprocess.Popen is

img

img

Now that it’s at the top of the list, we know it’s at 405

Payload:

img

Full url:

img

img

You may also enjoy

Doctor

‘Doctor’ is an easy rated box on Hack The Box. We’ll use FFuF to discover a hidden registration page, Server Side Template Injection to gain a shell and a public exploit for Spelunker to elevate our privileges

Academy

‘Academy’ is an easy rated box on Hack The Box. We’ll use FFuF to discover a hidden page, metasploit to explot Laravel for access and common enumeration for privilege escalation

THM Challenge

‘THM Challenge’ is a WebApp that I wrote to send along with my CV to TryHackMe when they were recruiting Content Engineers

Granny & Grandpa

Granny & Grandpa are a pair of identical easy rated boxes on Hack the Box. We’ll use metasploit to exploit a buffer overflow in IIS 6.0/WebDav for access and a kernel exploit for privesc