I made a cool website where you can announce whatever you want! Try it out! I heard templating is a cool and modular way to build web apps! Check out my website here!
🎯 Challenge Files & Infrastructure
Provided Files
1
Files:None
🔍 Initial Analysis
First Steps
Initially, the website appears as follows:
Site Presentation
As the title suggests, it is most likely a SSTI (Server Side Template Injection), so I immediately decided to try with Jinja2, since it is the most common, by injecting {{ 7*7 }}:
First Injection
As we can see, the template is rendered, and we have an SSTI. Let’s proceed to the exploitation phase.
🔬 Vulnerability Analysis
Potential Vulnerabilities
STTI (Server Side Template Injection)
🎯 Solution Path
Exploitation Steps
Initial setup
Now we just need to find the object chain to reach os or subprocess. I tried some standard ones from HackTricks. Let’s move on to the exploitation phase.
Exploitation
By testing a couple of payloads, I found one that worked in this case and did not generate an Internal Server Error: {{config.__class__.__init__.__globals__['os'].popen('ls').read()}}. When I sent it through the inputbox, I successfully executed the ls command:
ls Execution
As we can see, there is a flag file. So, I modified the payload to: {{config.__class__.__init__.__globals__['os'].popen('cat flag').read()}} to execute cat flag. After sending it, I successfully retrieved the flag.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The automatic exploit performs the same steps as the manual exploit, sending the SSTI payload with a POST request and extracting the flag from the response using a regex.
