Writeup for Very Easy JinjaCare HTB Challenge.
Table of contents
Open Table of contents
Application Overview
JinjaCare is a web app for managing COVID-19 vaccination records, allowing users to view history and generate digital certificates. You’re invited to identify security vulnerabilities in the system and retrieve the hidden flag from the application.
- Checkout the Challenge here: https://app.hackthebox.com/challenges/JinjaCare
Exploitation
Initial Analysis & Vulnerability Identification
As the name of the challenge suggests, my first suspicion was a Server-Side Template Injection (SSTI) vulnerability, likely involving the Jinja2 template engine.
I started by exploring the application’s features. The first thing I tried was generating and downloading the vaccination certificate. The user’s “Full Name” is used to generate the PDF. I noted that a user is also able to update their full name.
I checked out the personal information page and tried to insert a probe payload to test if our content is evaluated by the template engine: {{ 7 * 7 }}. The input was accepted!
After generating a new vaccination certificate we can see that it returned 49 as the name value. SSTI payload worked!
Flag Retrieval
The challenge description told us to retrieve the hidden flag content… therefore I went to PayloadsAllTheThings and searched for a suitable Jinja2 payload to read files.
I assumed the file is located in the root folder (/) and named flag.txt and tried out following:
{{ get_flashed_messages.__globals__.__builtins__.open("/flag.txt").read() }}Insert this in the full name of the user and download a new PDF certificate shows the flag:
Conclusion
The challenge was a straightforward but classic example of a Server-Side Template Injection which can result in full command execution. The application insecurely rendered the user controlled input within the server-side template engine.