Jerrytok

Technical Walkthrough

Writeup

Challenge

• Name: Jerrytok
• Category: Web
• Difficulty: Medium
• Mode: hybrid

Summary

JerryTok is a Symfony/Twig application with server-side template injection in

the location query parameter. Direct command execution is blocked by

disable_functions, but the template can still call file_put_contents and

chmod through Twig's sort filter. The solve writes a .htaccess file that

enables CGI scripts in the public web root, writes an executable shell CGI that

calls the SUID /readflag helper, then requests that CGI endpoint to retrieve

the flag.

Artifact Inventory

• files/a12c738f-4a20-4868-a833-da74ea8fd3ac.zip: original HTB archive.
• files/extracted/web_jerrytok/challenge/src/Controller/DefaultController.php:

route/controller containing the template injection.

• files/extracted/web_jerrytok/entrypoint.sh: runtime hardening with

disabled command functions and open_basedir=/www.

• files/extracted/web_jerrytok/config/httpd.conf: Apache configuration with

AllowOverride All for /www/public.

• files/extracted/web_jerrytok/readflag.c: SUID helper that reads /root/flag.
• Remote instance: http://<TARGET>:32250.

Analysis

The vulnerable controller builds a Twig template directly from user-controlled

input:

$message = $this->container->get('twig')->createTemplate(
        "Located at: {$location} from your ship's computer"
    )
    ->render();

A harmless local request with location={{7*7}} rendered 49, recorded in

analysis/local-ssti-7x7.txt.

The obvious Twig callback approach, such as calling system, fails because

entrypoint.sh disables command execution functions. Direct file reads outside

/www also fail under the configured runtime controls. The working primitive is

to use Twig's sort filter with enabled PHP callables:

• file_put_contents writes controlled files under /www/public.
• chmod makes the written script executable.
• .htaccess enables CGI execution for .sh files in /www/public.

Local Docker validation confirmed the exact chain without storing raw flag data

in analysis:

• analysis/local-ssti-htaccess-cgi-validation.txt
• analysis/local-solver-transcript.txt
• analysis/source-audit.md

Public research was treated as advisory only and is recorded in

analysis/research-jerrytok-community-sources.md. The RAG result was generic,

not challenge-specific, and was recorded as checklist-only in

analysis/rag-records.md.

Solve

The solver is solve/solve.py. It performs four steps:

1. Send an SSTI payload that writes /www/public/.htaccess:

Options +ExecCGI and AddHandler cgi-script .sh.

1. Send an SSTI payload that writes /www/public/jerrytok.sh with a CGI header

and /readflag.

1. Send an SSTI payload that calls chmod on the shell script.
2. Request /jerrytok.sh, extract the HTB-format flag value, and write it to

the requested output file.

Remote execution was run through the harness wrapper:

python3 scripts/challenge_exec.py Web/Jerrytok -- python3 Web/Jerrytok/solve/solve.py \
  --base-url http://<TARGET>:32250 \
  --output Web/Jerrytok/analysis/flag-candidate.txt \
  --transcript Web/Jerrytok/analysis/remote-solve-transcript.txt

The candidate was captured with challenge_harness.py capture-flag, then the

temporary candidate file was removed.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• Blocking only obvious command execution functions is not enough when a

template injection can still call file-writing and permission-changing

functions.

• Apache .htaccess behavior can turn a file-write primitive into execution if

overrides and CGI handlers are available.

• For Medium Web challenges, local reproduction prevents wasted remote probing:

the final remote run was a single validated write/chmod/read sequence.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Jerrytok
• Category: Web
• Difficulty: Medium
• Mode: hybrid
• Remote instance: none
• Start time: 2026-06-12T15:28:58Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

-

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Web
• Challenge: Jerrytok
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

• Proposed for LightRAG: yes/no
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches