Spookifier
There's a new trend of an application that generates a spooky name for you. Users of that application later discovered that their real names were also magically changed, causing havoc in their life. Could you help bring down this application?
As we can see, the application modifies the name with different fonts.
SSTI
Let's provide the following input:
${9+9}
A valid response. This means that the vulnerability is SSTI.
Identifying the Template Engine
Before we move on to crafting our payload, we need to first identify the template engine being used by the server. There are two methods that we can follow.
Using payloads
This graph from PayloadsAllTheThings gives us the steps to follow in order to identify the engine:
Let's begin with the first payload.
${7*7}
Since the payload returned a valid response, we move to the next payload:
a{*comment*}b
Not a valid response, let's move to the next one.
${"z".join("ab")}
This tells us that the server is running a Mako template engine.
Using code review
Alternatively, we can simply just read the code to identify the engine. Let's start with the config file.
Looking at the supervisord.conf file, we can see that it runs the /app/run.py file.
Then run.py imports app from application.main and runs it on port 1337.
As we can see the app object is using Mako template.
The web is also being imported from application.blueprints.routes.
This script takes the argument passed to the text parameter and sends it to the spookify() function which is imported from application.util.
The change_font() function simply converts user input into a list and replaces it with it's mapped character from a different font.
Payload
Since there is no input validation being perfomred, we can run arbitrary commands.
Let's access the os module and find our user.
${self.module.cache.util.os.popen('id').read()}
We can now read the flag.txt file using a similar payload:
${self.module.cache.util.os.popen('cat ../flag.txt').read()}
Flag
HTB{t3mpl4t3_1nj3ct10n_C4n_3x1st5_4nywh343!!}