![a0c8c9832a2310bac8a4290f1ff02c55.png](a18ea5a82bd64d7a84cdd5469db80f2f.png)
![821e468cec77f785d35d6ff73ceaf9bf.png](a0fec5174b0843a8b4c7a78e86bc5c47.png)
Giving it any input sends us to a page that says
```
Oops! Page login doesn't exist :(
```
Testing the url, I noticed that it's getting reflected
`/<u>memes</u>`
![5edd197f97fcbfd938c9532d4aa063b8.png](19b88e608cb8426ea815aac39ab4d3d5.png)
Using the title of the challenge as a hint, I tried **Server Side Template Injection**
`/{{7*7}}`
Kicks back
```
Oops! Page 49 doesn't exist :(
```
Going through the normal tests, I landed on `{{7*'7'}}` which kicked back `7777777` and confirms that it's **Jinja2**.
Reading: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
Using this payload
![ffe4781473efe0332310bb9cf1c45880.png](c2337726d86b4028a7c0674ce8c1f562.png)
Grants us RCE. *`(${IFS} acts as a space character)`*
Sending the request in **BurpSuite**, we can see the contents of our current directory
![0fc154d47b0e30146515bc5c48b67fb3.png](8e54a268e25540ec9712c95c8c364313.png)
Inside the `lib/` directory we have an odd script
![0fdb63719fcb341357c4c64799e03e39.png](fadc1e05281b4073a92e96529759227b.png)
Catting it out with `.popen('cat${IFS}lib/security.py')`
![c266f0c698499fe6ce9ea0f62c110c18.png](8accb6b341784f008b22f76b6b3083e3.png)
Let's clean it up
```Python
valid_password = 'QfsFjdz81cx8Fd1Bnbx8lczMXdfxGb0snZ0NGZ'
return base64.b64encode(password.encode('ascii')).decode('ascii')[::-1].lstrip('=') == valid_password
```
Basically it's going to take in a value, base64 encode it, reverse it and strip away any padding ('=' characters)
Knowing that, we can reverse the `valid_password` variable and add padding to it as needed to get a "valid password"
This is the quick script I used
```Python
import base64
print(base64.b64decode('==QfsFjdz81cx8Fd1Bnbx8lczMXdfxGb0snZ0NGZ'[::-1]))
```
![b041049d829f4fe940e3fe868d335c0a.png](7f9a345fd153446583654d9bfd430a21.png)
Oh, it's the flag!
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #ssti #web
Related: