tsustyle

Aspiring Red Team

Template Shack

less than 1 minute read

img

img

Nothing out of place. Checking the cookies we see what looks to be a JSON Web Token

img

jwt.io confirms that it’s a JWT and it’s using HS256 as the hashing algorithm. Let’s see if we can forge our own by cracking this one.

img

Using jwt-tool to crack the key

img

Time to forge our own admin JWT:

img

By changing the cookie value to our new JWT, we’ve accessed the admin account

img

Nothing seems to work here, and the only two options that do work kick back a 404.

img

Interesting. The URL that’s causing the error seems to be reflected on the page. Seems like we can control it.

Since the name of the challenge is ‘Template Shack’, let’s jump right into template injection

img

img

Template injection is a go!

Starting with

img

we can look for the 'subprocess.Popen' class

img

we need it’s exact index in the list. Let’s use slicing to find it:

img

By continuously slicing higher indicies, we can track down exactly where subprocess.Popen is

img

img

Now that it’s at the top of the list, we know it’s at 405

Payload:

img

Full url:

img

img

You may also enjoy

THM Challenge

‘THM Challenge’ is a WebApp that I wrote to send along with my CV to TryHackMe when they were recruiting Content Engineers

Granny & Grandpa

Granny & Grandpa are a pair of identical easy rated boxes on Hack the Box. We’ll use metasploit to exploit a buffer overflow in IIS 6.0/WebDav for access and a kernel exploit for privesc

Optimum

‘Optimum’ is an easy rated box on Hack the Box. We’ll exploit a vulnerable version of HttpFileServer for access and use Windows Exploit Suggester to find a kernel exploit for privesc

Bashed

‘Bashed’ is an easy rated box on Hack the Box. We’ll use gobuster to uncover some hidden directories on a webserver, use a custom bash/php client to gain a shell and exploit a script being run as a cronjob for root