Lab: Server-side template injection in a sandboxed environment

EXPERT

This lab uses the Freemarker template engine. It is vulnerable to server-side template injection due to its poorly implemented sandbox. To solve the lab, break out of the sandbox to read the file my_password.txt from Carlos's home directory. Then submit the contents of the file.

You can log in to your own account using the following credentials:

content-manager:C0nt3ntM4n4g3r

Access the lab

Solution

Log in and edit one of the product description templates. Notice that you have access to the product object.
Load the JavaDoc for the Object class to find methods that should be available on all objects. Confirm that you can execute ${object.getClass()} using the product object.
Explore the documentation to find a sequence of method invocations that grant access to a class with a static method that lets you read a file, such as:
${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/home/carlos/my_password.txt').toURL().openStream().readAllBytes()?join(" ")}
Enter this payload in one of the templates and save. The output will contain the contents of the file as decimal ASCII code points.
Convert the returned bytes to ASCII.
Click the "Submit solution" button and submit this string to solve the lab.