Cct2019 Tryhackme Verified -

Always check robots.txt , /backup , and /admin directories on both ports. Use gobuster or dirb for deeper enumeration. Step 2: Web Exploitation – Finding the First Foothold Navigating to port 80 reveals a chess-themed website—likely a tribute to the "CyberChess Tournament." There are no obvious login forms, but the URL parameters hint at template usage (e.g., ?page=index ). Discovering SSTI (Server-Side Template Injection) After testing parameters with payloads like {{7*7}} , we notice that the server returns 49 . This confirms a Jinja2 (Python) template injection vulnerability. Exploiting SSTI: We can escalate the injection to read system files. A common payload:

User chester may run the following commands on cct2019: (ALL : ALL) NOPASSWD: /usr/bin/python3 /opt/backup.py The /opt/backup.py script contains a system backup routine. However, because we have write access to the directory, we can modify the script. When chester executes it via sudo , our malicious code runs as root. cct2019 tryhackme

{{ self.__class__.__mro__[2].__subclasses__() }} From the list of subclasses, search for file or subprocess.Popen . With careful chaining, we achieve remote code execution. Always check robots