Post

HTB - Spookifier

Overview

ChallengeSpookifier
RankVery easy
CategoryWeb

Challenge description: There’s a new trend of an application that generates a spooky name for you. Users of that application later discovered that their real names were also magically changed, causing havoc in their life. Could you help bring down this application?

  1. The home page includes input box which takes our name:

  2. After examining the challenge’s files, we can see that this app is using the Mako template engine:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    
     # Dockerfile content
     $ cat Dockerfile
     FROM python:3.8-alpine
    
     RUN apk add --no-cache --update supervisor gcc
     # Upgrade pip
     RUN python -m pip install --upgrade pip
    
     # Install dependencies
     RUN pip install Flask==2.0.0 mako flask_mako Werkzeug==2.0.0
    
     <SNIP>
    
  3. After searching for “flask mako” on Google, the first and third results were about Server Side Template Injection (SSTI):

    SSTI is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

  4. There is a list of payloads on Hacktricks for detecting SSTI, and upon trying the ${7*7} we can see that is works:

  5. PayloadsAllTheThings also has a Python Mako section with specific payloads for that template:

1
cd ../;cat flag.txt
This post is licensed under CC BY 4.0 by the author.