Lab 213 — PingCraft — SSTI via Template Preview Rendering

hackadvisor

Task: Express.js notification platform with template preview endpoint using JavaScript Function constructor for server-side template literal evaluation. Solution: SSTI via ${} expressions in POST /api/templates/preview, escalated to process.env disclosure via ${JSON.stringify(process.env)} to extract FLAG from environment variables.

environment_variables ssti nodejs javascript express template_injection decoy_flag function_constructor notification_platform template_literals process_env

decoy_flag_recognitionprocess_env_disclosuressti_js_template_literals

$ ls tags/ techniques/

environment_variables ssti nodejs javascript express template_injection decoy_flag function_constructor notification_platform template_literals process_env

decoy_flag_recognitionprocess_env_disclosuressti_js_template_literals

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 237 — MailCraft — SSTI in Email Template Preview— hackadvisor
[web][Pro]Lab 133 — MailForge — SSTI via Handlebars Template Preview— hackadvisor
[web][Pro]Lab 236 — PulseAlert — Blind SSTI via Notification Template Engine— hackadvisor
[web][Pro]Lab 247 — PulseGuard — SSTI in Webhook Notification Templates— hackadvisor
[web][Pro]MailPilot — SSTI in Template Preview— hackadvisor