tsustyle

Red Team Aspirant

Template Shack

less than 1 minute read

img

img

Nothing out of place. Checking the cookies we see what looks to be a JSON Web Token

img

jwt.io confirms that it’s a JWT and it’s using HS256 as the hashing algorithm. Let’s see if we can forge our own by cracking this one.

img

Using jwt-tool to crack the key

img

Time to forge our own admin JWT:

img

By changing the cookie value to our new JWT, we’ve accessed the admin account

img

Nothing seems to work here, and the only two options that do work kick back a 404.

img

Interesting. The URL that’s causing the error seems to be reflected on the page. Seems like we can control it.

Since the name of the challenge is ‘Template Shack’, let’s jump right into template injection

img

img

Template injection is a go!

Starting with

img

we can look for the 'subprocess.Popen' class

img

we need it’s exact index in the list. Let’s use slicing to find it:

img

By continuously slicing higher indicies, we can track down exactly where subprocess.Popen is

img

img

Now that it’s at the top of the list, we know it’s at 405

Payload:

img

Full url:

img

img

You may also enjoy

Tenet

‘Tenet’ is a medium rated box on Hack the Box. We’ll be using PHP Object Injection to get RCE and identify a race condition in a custom script for privesc.

Skynet

‘Skynet’ is a box on TryHackMe. We’ll be enumerating SMB shares, brute forcing a login and exploiting a Remote File Inclusion vulnerability in Cuppa CMS for a foothold. For our root shell we’ll take a look at exploiting some wildcard injection using a script that’s being run as a cronjob.

FFuF Cheatsheet

This is a Cheatsheet I created for reference when using FFuF

Ready

‘Ready’ is a medium rated box on Hack the Box. We’ll be using a public exploit for a vulnerable Gitlab version for a shell, enumeration and password reuse for privesc and escape a docker container for root