Lab: Server-side template injection in a sandboxed environment
This lab uses the Freemarker template engine. It is vulnerable to server-side template injection due to its poorly implemented sandbox. To solve the lab, break out of the sandbox to read the file
my_password.txt from Carlos's home directory. Then submit the contents of the file.
You can access your own account with the following credentials:
Log in and edit one of the product description templates. Notice that you have access to the
Load the JavaDoc for the
Objectclass to find methods that should be available on all objects. Confirm that you can execute
Explore the documentation to find a sequence of method invocations that grant access to a class with a static method that lets you read a file, such as:
- Enter this payload in one of the templates and save. The output will contain the contents of the file as decimal ASCII code points.
- Convert the returned bytes to ASCII.
- Click the "Submit solution" button and submit this string to solve the lab.