We have access to a pretty cool web site. None of the endpoints are interesting but let's dig a little more...

Step1: Digging

We can see that we are able to change the language, of the website, then our cookie is set up to the choosen language

Step2: Yummy cookies

Ii is pretty obvious that cookies are our entry point. Let's intercept the request that update cookies and see what happens...

Okay, after playing with burp, we noticed that there is an error message speeking about thymeleaf template exeption.

After searching quickly on the net, I found this github speaking about template injection on thymeleaf.

Step3: Github is cool

On the github, there is this template injection that seems to match our case:
Let's try if we can connect back to our server

Last Step: I love shells

Now that we know that netcat is working, let's just try to spawn a reverse shell.



And we are done, flag: Aero{j4va_1s_better_th4n_engl1sh} !
We even got the first blood on the challenge !

Fun fact, I was root on the remote server due to a misconfig.