Challenge
| Link | Difficulty | Status |
|---|---|---|
| https://play.picoctf.org/practice/challenge/469?category=1&originalEvent=74&page=1 |  |  |
Note
Description
I made a cool website where you can announce whatever you want! Try it out!
Additional details will be available after launching your challenge instance.
Solution
From the title of the challenge it is quite clear that it’s Server side template injection. On launching the challenge we see a page with an input field asking what we want to announce.
Entering text (Hello world) and clicking ok shows the following page.
At the moment we have no idea on the backend technology or the templating engine being used. To figure this out I went ahead to look at the http response headers.
From the response headers it is quite clear that the sever is written in werkzeug library and in python. I looked up if it ships with a templating engine and found it uses Jinja2 under the hood. A Jinja2 template looks something like below.
{% extends "layout.html" %}
{% block title %}Details about /{{ short_id }}{% endblock %}
{% block body %}
<h2><a href="/{{ short_id }}">/{{ short_id }}</a></h2>
<dl>
<dt>Full link
<dd class=link><div>{{ link_target }}</div>
<dt>Click count:
<dd>{{ click_count }}
</dl>
{% endblock %}The content inside {{}} is inserted dynamically when processing the response. And this is going to be our point of attack. We need to see if we can insert valid python code and check if it’s executed.
I started by entering {{4*4}} into the input and hit ok. And the result is as below. The script was executed and it returns 16.
We now know that we can inject code and execute it on the server, the goal here is to some how read files on the server. To do that we need to start a process to list down the files, find the required file and start another process to read the contents of the file. One way to do it is by importing the os module in python. In order to import the os module I went on to craft the following payload trying to access the os module through globals().
globals()["__builtins__"].__import__('os').popen("ls /").read()The above payload didn’t work, a quick google search gave me an alternative to achieve the above in the scope of jinja2 and the payload now looked like below.
{{request.application.__globals__.__builtins__.__import__('os').popen('ls /').read()}}Submitting the above payload through the text input reveals the list of files on the servers root /. As we can see from the screenshot below, there is a folder called challenge and I have to run the above script again to see the contents of /challenge. This reveals a file called flag which could potentially contain out flag.
Now running our final payload to print the flag
{{request.application.__globals__.__builtins__.__import__('os').popen('cat /challenge/flag').read()}}