Exploiting SSTI - Twig

Exploit the SSTI vulnerability to obtain RCE and read the flag.

In this exercise the web application is running the Twig template engine, so lets focus on its specific payloads to retrieve the flag.

Lets try to get some information with this payload:

{{ _self }}

And its working! Now lets work on the payload.

Lets try to use the PHP built-in function system:

{{ ['id'] | filter('system') }}

As we can see we manage to execute the id command on the webserver. Now all we have to do is to work on the payload to retrieve the flag. We can use this one:

{{ ['cat ../../../flag.txt'] | filter('system') }}

And we did it!