![a0c8c9832a2310bac8a4290f1ff02c55.png](a18ea5a82bd64d7a84cdd5469db80f2f.png) ![821e468cec77f785d35d6ff73ceaf9bf.png](a0fec5174b0843a8b4c7a78e86bc5c47.png) Giving it any input sends us to a page that says ``` Oops! Page login doesn't exist :( ``` Testing the url, I noticed that it's getting reflected `/<u>memes</u>` ![5edd197f97fcbfd938c9532d4aa063b8.png](19b88e608cb8426ea815aac39ab4d3d5.png) Using the title of the challenge as a hint, I tried **Server Side Template Injection** `/{{7*7}}` Kicks back ``` Oops! Page 49 doesn't exist :( ``` Going through the normal tests, I landed on `{{7*'7'}}` which kicked back `7777777` and confirms that it's **Jinja2**. Reading: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection Using this payload ![ffe4781473efe0332310bb9cf1c45880.png](c2337726d86b4028a7c0674ce8c1f562.png) Grants us RCE. *`(${IFS} acts as a space character)`* Sending the request in **BurpSuite**, we can see the contents of our current directory ![0fc154d47b0e30146515bc5c48b67fb3.png](8e54a268e25540ec9712c95c8c364313.png) Inside the `lib/` directory we have an odd script ![0fdb63719fcb341357c4c64799e03e39.png](fadc1e05281b4073a92e96529759227b.png) Catting it out with `.popen('cat${IFS}lib/security.py')` ![c266f0c698499fe6ce9ea0f62c110c18.png](8accb6b341784f008b22f76b6b3083e3.png) Let's clean it up ```Python valid_password = 'QfsFjdz81cx8Fd1Bnbx8lczMXdfxGb0snZ0NGZ' return base64.b64encode(password.encode('ascii')).decode('ascii')[::-1].lstrip('=') == valid_password ``` Basically it's going to take in a value, base64 encode it, reverse it and strip away any padding ('=' characters) Knowing that, we can reverse the `valid_password` variable and add padding to it as needed to get a "valid password" This is the quick script I used ```Python import base64 print(base64.b64decode('==QfsFjdz81cx8Fd1Bnbx8lczMXdfxGb0snZ0NGZ'[::-1])) ``` ![b041049d829f4fe940e3fe868d335c0a.png](7f9a345fd153446583654d9bfd430a21.png) Oh, it's the flag! --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #ssti #web Related: