Official discussion thread for JerryTok. Please do not post any spoilers or big hints.
Opps. There was a pretty nice rabbit hole. Stay away from it.
There is at least two ways for this challenge. I thought that was a rabbit hole.
3 Likes
I was able to get partial results, but not what I really need. Do you mind if I DM you for a little sanity check?
No I don’t mind. Send it to me
Done! Nice challenge.
Some hints:
- There are more than one vulnerability. You should combine the vulnerabilities to get the flag (check configurations, as well).
- A lot of functions are disabled but not all. Maybe you are able to find a useful function for your attack chain.
- TwigV2+ is used (I overlooked that… cost me a lot of time O_o) .
- Use the docker instance for inspection and debugging. You will probably fail if you try a black-box approach.
Thanks for the hints…
For me the most important part was to run the docker locally. Indeed without the debugging info I would not get it.
Nice challenge.
I’ve managed to get to a point where I can create files on the server, but with all these PHP restrictions I do not what to do. Can I DM someone for a little hint or two. Am I on the right path?
Finished the challenge. It’s pretty well designed to say the least. It required a some code analysis and a bit of research in order to solve.
Hope this wont spoil anything. To get any further… here are some hints:
-
Running the docker instance locally is important for logging and debugging info. It will be more difficult if you choose to do this challenge blind.
-
Knowledge of SSTI and specially-crafted requests may be required.
-
Functions that are considered “dangerous” (at least in production environments) are disabled. However not all of them are disabled.
Previous hints from users will also prove helpful while solving this challenge
What should I do after running a docker instance locally? I have not practiced and learned to build an environment for auditing locally, nor have I found relevant articles on the Internet. I hope you can teach me
Thanks for the hints so far. I am able to use some interesting functions, but am stuck with the complete attack path. Any further hints are appreciated.
I’ll try to be as helpful as possible. Firstly, running the Docker instance locally essentially enables you to run the entire challenge directly on your local machine within a separate, isolated container/vm. If you’re interested in learning more about Docker, there are many resources available online for it. I use the Docker extension for Visual Studio Code, which assists with setting up, running, and managing Docker instances. The extension also allows for easy access to logs, which may include debug, error, and request information.
Once you have the docker instance running you should be able to connect to it at localhost:1337. You can then use tools such as BurpSuite, just as you would with the official Hack The Box instance. Keep in mind that flags obtained from a local Docker instance are not valid for submission. You must reproduce the steps on the official Hack The Box instance to obtain a valid flag.
Here’s a final hint for SSTI: {{7*7}}
Don’t want to give out many hints but you are close to figuring it out. Research which functions could be bypassed to allow for arbitrary command execution.
Do not try to test everything on mac, prob m1 problems or just something went wrong.
Spent too much time on local testing, since disable_functions did not work for me, as well as other “interesting” functions. They worked only on remote host.
Maybe worth of testing only on *nix based environments.
First of all, thank you for answering my question. For now, I only know that docker can be used to clone challenges locally, but that’s about it. I don’t know how to use it to find a leak. By looking at your tips, I know there is an ssti injection for this challenge, but I can’t find the injection point.
I’m stuck at the same point
DM if you want a hint or two
2 Likes
I managed to obtain the flag without exploiting SSTI. I don’t think my solution was the intended one, but it was an enjoyable challenge.
I had some issues running locally as it kept installing PHP8.3 bypassing the challenge configs.
Here are some changes I did that worked for me:
Change in Dockerfile from [FROM alpine:3] to [FROM php:8.2-fpm-alpine]
Change in Dockerfile (changed to php82 versions):
RUN apk add --no-cache --update coreutils gettext php82-cgi php82-fpm php82-ctype php82-curl php82-dom php82-gd
php82-iconv php82-json php82-intl php82-fileinfo php82-mbstring php82-opcache php82-openssl php82-pdo
php82-pdo_mysql php82-mysqli php82-xml php82-xsl php82-zlib php82-phar php82-tokenizer php82-session
php82-simplexml php82-zip php82-xmlwriter php82-sodium php82-pecl-apcu make
Changed in httpd.conf from [Action php-script /cgi-bin/php-cgi] to [Action php-script /cgi-bin/php-cgi82]