From b6fcedf4f5a2f8f97e62aed82b9ce3d8b17ad149 Mon Sep 17 00:00:00 2001 From: kyleburgess Date: Mon, 9 Sep 2024 23:31:18 -0500 Subject: [PATCH] Needed to add %raw% --- _posts/2024-09-09-csaw-lost-pyramid.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/_posts/2024-09-09-csaw-lost-pyramid.md b/_posts/2024-09-09-csaw-lost-pyramid.md index d26b36a..bcd6fb5 100644 --- a/_posts/2024-09-09-csaw-lost-pyramid.md +++ b/_posts/2024-09-09-csaw-lost-pyramid.md @@ -36,6 +36,8 @@ Basically, if you set `algorithms=jwt.algorithms.get_default_algorithms()` while Except... we're not done. First off, we don't know the public key. Second off, we don't know the King's Day, which we need to include in our payload. That's where SSTI comes in. SSTI stands for server-side template injection; basically, we can expose variables from the code by injecting our own code. I actually couldn't figure this out for a while until I called fellow teammate Nisala Kalupahana calmly and nicely pointed out these lines of code: +{% raw %} + ```python kings_safelist = ['{','}', '𓁹', '𓆣','𓀀', '𓀁', '𓀂', '𓀃', '𓀄', '𓀅', '𓀆', '𓀇', '𓀈', '𓀉', '𓀊', '𓀐', '𓀑', '𓀒', '𓀓', '𓀔', '𓀕', '𓀖', '𓀗', '𓀘', '𓀙', '𓀚', '𓀛', '𓀜', '𓀝', '𓀞', '𓀟', @@ -68,6 +70,8 @@ Do you see that? `**globals()`. This passes all global variables into the contex Payload: `{{KINGSDAY}}𓁹{{PUBLICKEY}}`: +{% endraw %} + Result: ![A photo of the inside of a pyramid with the public key and the kingsday written on it.](/assets/csaw/kyleburgess2025/scarab_key.png) *What a beautiful name for a baby boy.*