search

Neonify

hashtag
Description

It's time for a shiny new reveal for the first-ever text neonifier. Come test out our brand new website and make any text glow like a lo-fi neon tube!

URL: https://app.hackthebox.com/challenges/Neonifyarrow-up-right

hashtag
Source

/challenge/app/controllers/neon.rb

class NeonControllers < Sinatra::Base

  configure do
    set :views, "app/views"
    set :public_dir, "public"
  end

  get '/' do
    @neon = "Glow With The Flow"
    erb :'index'
  end

  post '/' do
    if params[:neon] =~ /^[0-9a-z ]+$/i
      @neon = ERB.new(params[:neon]).result(binding)
    else
      @neon = "Malicious Input Detected"
    end
    erb :'index'
  end

end

hashtag
Solution

Neonify.png

The line is used in Ruby to evaluate a string of code using Embedded Ruby (ERB), but we are only allowed to use alphanumerical characters and space.

The input is evaluated into

https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#erb-rubyarrow-up-right

The problem with the injection is the regex condition

The condition doesn't check for multiline input, only for first line. If we inject new line and whatever our payload is it's not going get checked and essentially bypass whole filter.

Note: It's important to have something on first line so that regex is satisfied, empty string doesn't satisfy the condition.

circle-check

Flag: HTB{r3pl4c3m3n7_s3cur1ty}

PreviousJerryTokNextNo-Threshold

Last updated