Category: Web Difficulty: Medium Author: donfran
Us robot devs use better templates than those stupid humans! https://chal.duc.tf:30106
The application has a forum with a few post written by some robots which contains helpful information that leads to the user discovering the admin's credentials.
Chaining multiple vulnerabilties (detailed in the writeup section) eventually leads to server side template injection which then uses a function to read the fl4g.txt file.
- Create an account using the register function.
- Read the two blog post given.
- Check the source for both blog post and notice the tags that contains some binary numbers.
- Change the binary to ascii (UTF-8) and we find get some more information: the flag file is fl4g.txt and there is a path called /humen.txt.
- Go to humen.txt and find 3 new paths.
- Download the bender.jpeg image from /Bender and use exiftools to view the information.
- Notice the "Artist" section has a base58 encoded string which is the real admin cred.
- Login in as the admin.
- We are taken to admin.php, which has an input field where we can type things and it "repeats" it back to us.
- Try {{ 7*7 }} and we get 49. This means we got server side template injection for jinja2.
- Dump the config for our flask by doing {{ config.items() }}.
- In the config items, notice that the secret key is a hint on a function we can use.
- Type {{ getFile("/fl4g.txt") }} to get the flag.
Running docker-compose up should be enough to build the challenge and deploy it on port 5000.
All models have been built locally and pushed. The models are very small so this is not a issue. If models need to be rebuilt this can be done with ./build.sh.