ContentForge

hackadvisor

Task: ContentForge headless CMS with editable email templates using lodash template engine, server-side rendered via preview API. Solution: Bypass input filter (which blocks require/execSync but not process.env) by injecting <%= JSON.stringify(process.env) %> to dump environment variables containing the flag.

environment_variables ssti nodejs nginx express lodash template_injection honeypot_flag email_platform process_env

decoy_flag_recognitionprocess_env_disclosurelodash_template_sstiinput_filter_bypass

$ ls tags/ techniques/

environment_variables ssti nodejs nginx express lodash template_injection honeypot_flag email_platform process_env

decoy_flag_recognitionprocess_env_disclosurelodash_template_sstiinput_filter_bypass

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 133 — MailForge — SSTI via Handlebars Template Preview— hackadvisor
[web][Pro]SendForge— hackadvisor
[web][Pro]Lab 134 — DocForge — FreeMarker SSTI Sandbox Escape via ?api Built-in— hackadvisor
[web][Pro]PageCraft — SSTI via Twig Template Engine in Post Content— hackadvisor
[web][Pro]PageForge— hackadvisor