https://blog.s4yhii.com/categories/htb/ Recent content in HTB on s4yhii's blog https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E Hugo -- 0.155.3 en-us Sat, 10 Feb 2024 12:00:00 -0400 https://blog.s4yhii.com/posts/2024-02-10-web-cache-poisoning/ Sat, 10 Feb 2024 12:00:00 -0400 https://blog.s4yhii.com/posts/2024-02-10-web-cache-poisoning/ <h1 id="web-cache-poisoning">Web cache Poisoning</h1> <p>Web cache poisoning is not web cache deception, is not response splitting or request smuggling web cache deception tricking caches into storing sensitive information so the attackers can access to it. web cache poisoning is serve payloads to users via cache responses <img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/wcp/Pasted%20image%2020231126235320.png"></p> <p>Cache keys: The unique identifier that the server wont cache (refresh based on that: only host + path) <img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/wcp/Pasted%20image%2020231126235920.png"></p> <p>&ldquo;Everything that is not part of the cache key is part of the cache poisoning attack surface&rdquo;</p> https://blog.s4yhii.com/posts/2022-07-01-web-challenges-htb/ Fri, 01 Jul 2022 12:00:00 -0400 https://blog.s4yhii.com/posts/2022-07-01-web-challenges-htb/ <h1 id="templated">Templated</h1> <p><img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/htb/challenges/ch0.jpg"></p> <ul> <li>Dificulty: easy</li> <li>Description: Can you exploit this simple mistake?</li> </ul> <h2 id="solution">Solution</h2> <p>First we visit the site and see that uses jinja2, this template is susceptible to <code>SSTI attacks</code>.</p> <p><img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/htb/challenges/ch1.jpg"></p> <p>We see that the directory searched is rendered in the page with 25, so its vulnerable to SSTI.</p> <p><img loading="lazy" src="https://raw.githubusercontent.com/s4yhii/s4yhii.github.io/master/assets/images/htb/challenges/ch2.jpg"></p> <p>We use the payload that will allow us to <code>RCE</code> on the server to read the file <code>flag.txt</code>, we extract it from <a href="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2---remote-code-execution">PayloadsAllTheThings</a>.</p>