Exploring a Flask App with SSTI [HackTheBox Sandworm]

In the Sandworm box from HackTheBox, the foothold involves exploiting a server-side template injection (SSTI) vulnerability in a Python Flask application. In this video, I'll come back with my root shell and look at how the application is setup, and show why it is vulnerable to SSTI. HackTheBox Sandworm: https://www.hackthebox.com/machines/sandworm Sandworm Blog Post: https://0xdf.gitlab.io/2023/11/18/htb-sandworm.html Flask factories: https://flask.palletsprojects.com/en/2.3.x/patterns/appfactories/ python-gnupg: https://gnupg.readthedocs.io/en/latest/ ☕ Buy Me A Coffee: https://www.buymeacoffee.com/0xdf [00:00] Introduction [01:17] Overview of webpage [02:15] Demonstrate SSTI [02:52] Looking at Firejail / Flask service [03:50] Flask run [04:50] App Factories [06:15] __init__.py [07:00] app.py overview [08:28] Route with POST [09:14] Verify routes [11:14] Flask hello world [12:09] Adding user input [13:06] Use template [14:45] SSTI payload fail [15:09] Switch to render_template_string [16:05] Fixing typo [16:24] Successful exploitation [17:20] Conclusion #pentest #ctf #bugbounty #python #ssti