#readwise # Bike Write-up  ## Metadata - Author: [[Hack The Box]] - Full Title: Bike Write-up ## Highlights Template Engines are used to display dynamically generated content on a web page. They replace the variables inside a template file with actual values and display these values to the client (i.e. a user opening a page through their browser). For instance, if a developer needs to create a user profile page, which will contain Usernames, Emails, Birthdays and various other content, that is very hard if not impossible to achieve for multiple different users with a static HTML page. The template engine would be used here, along a static "template" that contains the basic structure of the profile page, which would then manually fill in the user information and display it to the user. Template Engines, like all software, are prone to vulnerabilities. The vulnerability that we will be focusing on today is called Server Side Template Injection (SSTI). ([View Highlight](https://read.readwise.io/read/01jrncg1c2hb9s65yhd6dgvr8e)) --- Server-side template injection is a vulnerability where the attacker injects malicious input into a template in order to execute commands on the server. ^lipter To put it plainly an SSTI is an exploitation technique where the attacker injects native (to the Template Engine) code into a web page. The code is then run via the Template Engine and the attacker gains code execution on the affected server. This attack is very common on Node.js websites and there is a good possibility that a Template Engine is being used to reflect the email that the user inputs in the contact field. ([View Highlight](https://read.readwise.io/read/01jrncgz26t7sqet4706pdj4b0)) --- In order to exploit a potential SSTI vulnerability we will need to first confirm its existence. After researching for common SSTI payloads on Google, we find this [Hacktricks](https://book.hacktricks.wiki/en/pentesting-web/ssti-server-side-template-injection/index.html) article that showcases exploitation techniques for various different template engines. The following image shows how to identify if an SSTI vulnerability exists and how to find out which Template engine is being used. Once the engine is identified a more specific payload can be crafted to allow for remote code execution. ([View Highlight](https://read.readwise.io/read/01jrncq64de1h0zdyfb212qrvr)) --- The [Detection](https://book.hacktricks.wiki/en/pentesting-web/ssti-server-side-template-injection/index.html#detection) paragraph in the Hacktricks page shows a variety of special characters commonly used in template expressions. ``` {{7*7}} ${7*7} <%= 7*7 %> ${{7*7}} #{7*7} ``` Some of these payloads can also be seen in the previous image and are used to identify SSTI vulnerabilities. If an SSTI exists, after submitting one of them, the web server will detect these expressions as valid code and attempt to execute them, in this instance calculating the mathematical equation `7*7` (Seven multiplied by Seven), which is equal to 49. ([View Highlight](https://read.readwise.io/read/01jrnd6sgn6j15zrgzreqdre99)) --- Let's move on to the second payload, which is `{{7*7}}` . After the payload is submitted, an error page pops up. This means that the payload was indeed detected as valid by the template engine, however the code had some error and was unable to be executed. An error is not always a bad thing. On the contrary for a Penetration Tester, it can provide valuable information. In this case we can see that the server is running from the `/root/Backend `directory and also that the Handlebars Template Engine is being used. ([View Highlight](https://read.readwise.io/read/01jrnd879ppf65r3gh18g07tmh)) --- To determine if this is the case, we can use Burpsuite to capture a POST request via FoxyProxy and edit it to include our payload. We provide a great module on [Using Web Proxies](https://academy.hackthebox.com/module/details/110). If you have not used BurpSuite before it will provide a lot of valuable information. After BurpSuite has been started and the web proxy correctly configured, submit the payload again. BurpSuite should capture the request and allow you to edit it. ([View Highlight](https://read.readwise.io/read/01jrndf4t06w4gph3b5zj9q78a)) --- Before we modify the request, let's send this HTTP packet to the Repeater module of BurpSuite by pressing `CTRL+R` . Now let's grab a payload from the section that is titled "Handlebars (NodeJS)" in the [HackTricks](https://book.hacktricks.wiki/en/pentesting-web/ssti-server-side-template-injection/index.html#handlebars-nodejsl) website. ([View Highlight](https://read.readwise.io/read/01jrndfzv0yttcj00z0hkpxsn6)) --- The above code might seem daunting to understand, but for this writeup our main focus will be the following line. ```handlebars {{this.push "return require('child_process').exec('whoami');"}} ``` This line instructs the server to execute a specific system command (in this case `whoami` ). Later in the writeup we will be modifying this line to execute different commands on the server. After copying the full payload from Hacktricks, we must URL encode it so that it will be correctly passed to the server. ([View Highlight](https://read.readwise.io/read/01jrnvwhp1jmbfp5pj9n8fdwdb)) --- The response shows an error that states `require is not defined`. This is likely the part of the payload that is erroring out. `require` is a keyword in Javascript and more specifically Node.js that is used to load code from other modules or files. The above code is attempting to load the [Child Process](https://nodejs.org/api/child_process.html) module into memory and use it to execute system commands (in this case `whoami`). Template Engines are often Sandboxed, meaning their code runs in a restricted code space so that in the event of malicious code being run, it will be very hard to load modules that can run system commands. If we cannot directly use require to load such modules, we will have to find a different way. ---