There is a vulnerability in the "new chat" feature.
@app.route("/new_chat/", methods=['POST'])@require_authorizationdefnew_chat(current_user): phone =str(request.form.get('phone')) message =str(request.form.get('message')) recaptchaResponse =str(request.form.get('g-recaptcha-response')) r = requests.post('https://www.google.com/recaptcha/api/siteverify', data={'secret': '6LcFLRccAAAAAJGO9V52-YxMiXkrKLmT4GBp9Ysf','response': recaptchaResponse,'remoteip': '127.0.0.1', }) a = request.form j = r.json()if'success'in j and j['success']:ifnot phone.startswith('+1337')andnot phone.startswith('1337'):# sms message result = sms.send_sms(number='+' + re.sub("[^0-9]", "", phone), message=message, login=current_user.login, vulnfunc=db.User().add_money_to_login)
if result: db.Message().send_sms(current_user, phone, message)else:# chat private message db.Message().send_private(current_user, phone, message)returnredirect('/private/')
When sending an SMS to a number that does not begin with +1337 or 1337, the send_sms function in sms.py is called, with the keyword argument vulnfunc=db.User().add_money_to_login.
In the send_sms function, Flask's render_template_string function is used to generate the SMS message.
The resulting template is user-controllable, since login is our username.
'Hello from '+ login +':\n{{ message }}'
We can then exploit Server-Side Template Injection (SSTI). Since the add_money_to_login function is added to the template context, we can manipulate the login variable to invoke this function. We essentially need two accounts, with one of the usernames being:
{{add_money_to_login(USERNAME, AMOUNT_OF_MONEY)}}
Then, when sending an SMS message, the following is called:
render_template_string('Hello from {{ add_money_to_login(USERNAME, AMOUNT_OF_MONEY) }}:\n{{ message }}', message=message, add_money_to_login=vulnfunc)
When rendering the template, the add_money_to_login function is called, adding money to our other account.
Now that we have sufficient money, we can buy the flag!