Template Shack
Nothing out of place. Checking the cookies we see what looks to be a JSON Web Token
jwt.io confirms that it’s a JWT and it’s using HS256 as the hashing algorithm. Let’s see if we can forge our own by cracking this one.
Using jwt-tool to crack the key
Time to forge our own admin JWT:
By changing the cookie value to our new JWT, we’ve accessed the admin account
Nothing seems to work here, and the only two options that do work kick back a 404.
Interesting. The URL that’s causing the error seems to be reflected on the page. Seems like we can control it.
Since the name of the challenge is ‘Template Shack’, let’s jump right into template injection
Template injection is a go!
Starting with
we can look for the 'subprocess.Popen'
class
we need it’s exact index in the list. Let’s use slicing to find it:
By continuously slicing higher indicies, we can track down exactly where subprocess.Popen
is
Now that it’s at the top of the list, we know it’s at 405
Payload:
Full url: