webmedium

JerryTok

hackthebox

Task: Symfony 7.0 PHP app with Twig SSTI via createTemplate(), but exec functions disabled and open_basedir=/www. Solution: Use Twig map filter to call file_put_contents, write .htaccess enabling CGI + shell script calling SUID /readflag, bypassing all PHP restrictions.

$ ls tags/ techniques/

php ssti apache suid cgi twig symfony htaccess disable_functions open_basedir

twig_ssti_createtemplatemap_filter_callbackfile_put_contents_via_twightaccess_cgi_executiondisable_functions_bypass_via_cgiopen_basedir_bypass_via_cgi

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub to get started.

$ssh [email protected]