Server-Side Attacks Example 1

Hello everyone. Have problems with Question in “SSTI Exploitation Example 1” Server-Side attacks module

Use what you learned in this section to obtain the flag which is hidden in the environment variables. Answer format: HTB{String}

I spent a many hours but can’t find a flag. I think I did everything

I am stuck as well. I was able to gain RCE from tplmap.py but still no clues.

Thanks @onthesauce . I didn’t understand the task at first

@Mentally6, hint: there is a command in Linux where you can see everything about your environment

3 Likes

Hey, huge thanks man. It was pretty confusing to me as well cuz there is file named environment in an adjacent directories lol.

I got the reverse shell and hint is check in the environmental variables, I tried so many different ways to check the environmental variables like

env
set
printenv

But I am not getting any good data inside the above commands.

Is there any other command is there to check for the environmental variables.

2 Likes

Use the cURL command to run the commands you just mentioned. For some reason, tplmap’s os shell wasn’t able to return anything for me.

3 Likes

For this one I listed the environment variables then piped to a grep to search on HTB.

2 Likes

This worked for me, thank you! I was already doing printenv by itself, but I wasn’t getting the flag. Thanks for the tip on piping a grep on HTB!

2 Likes

boobies, the flag is not in the absolute root of the system, but in the root folder of the current user

For people to have problems with tplmap

Testing if POST parameter 'name' is injectable
Exiting: module 'collections' has no attribute 'Mapping'

Go to this URL: module 'collections' has no attribute 'Mapping' · Issue #104 · epinna/tplmap · GitHub

3 Likes

Tips in cheatsheet
`

hint

curl -i -s “http:///load?q=http://internal.app.local/load?q=file:://///proc/self/environ” -o -

`