Try Hack Me: Templates

Templates is rated as a medium level box, however it is on the easier side. Diving into it with a rustscan / nmap we see the following ports are open:

Trying port 5000 as HTTP we do see that it is able to render pug code to html. Looking at hacktricks we are able to find pug SSTI:

The website for hacktricks: https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

Continuing on lets first see if it is susceptible to SSTI:

That is a good sign for us, bad sign for them. Lets make a file called s.sh and put a bash reverse shell in it, from there we can curl that file on the web server and then run bash on the web server, thus allowing for a reverse shell:

Now startup our web server and listener:

Utilizing the following payload from hacktricks we can get the reverse shell