Merge pull request #58 from squ1rrel-ctf/burgess/csaw

Burgess/csaw
squ1rrel-ctf · Sep 10, 2024 · f3ee07b · f3ee07b
2 parents 73b7e00 + b5ca96c
commit f3ee07b
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/_posts/2024-09-09-csaw-lost-pyramid.md b/_posts/2024-09-09-csaw-lost-pyramid.md
@@ -36,6 +36,8 @@ Basically, if you set `algorithms=jwt.algorithms.get_default_algorithms()` while
 
 Except... we're not done. First off, we don't know the public key. Second off, we don't know the King's Day, which we need to include in our payload. That's where SSTI comes in. SSTI stands for server-side template injection; basically, we can expose variables from the code by injecting our own code. I actually couldn't figure this out for a while until I called fellow teammate Nisala Kalupahana calmly and nicely pointed out these lines of code:
 
+{% raw %}
+
 ```python
 kings_safelist = ['{','}', '𓁹', '𓆣','𓀀', '𓀁', '𓀂', '𓀃', '𓀄', '𓀅', '𓀆', '𓀇', '𓀈', '𓀉', '𓀊', 
                     '𓀐', '𓀑', '𓀒', '𓀓', '𓀔', '𓀕', '𓀖', '𓀗', '𓀘', '𓀙', '𓀚', '𓀛', '𓀜', '𓀝', '𓀞', '𓀟',
@@ -68,6 +70,8 @@ Do you see that? `**globals()`. This passes all global variables into the contex
 
 Payload: `{{KINGSDAY}}𓁹{{PUBLICKEY}}`:
 
+{% endraw %}
+
 Result:
 ![A photo of the inside of a pyramid with the public key and the kingsday written on it.](/assets/csaw/kyleburgess2025/scarab_key.webp)
 *What a beautiful name for a baby boy.*