search
blog

Super Secure Technology Infrastructure

Difficulty
Points
Solves

Easy

146

9

hashtag
Description

Super secure technology infrastructure, A fortress built with digital flair, Encrypted and protected, no intrusion allowed, Our data safe from any dare. Poem by ChatGPT

By the challenge title, we can identify that it is a Server Side Template Injection vulnerability.

circle-info

Server-side template injection (SSTI) is a type of vulnerability that occurs when a web application dynamically generates templates using user input, and then sends those templates to the server to be rendered. If the user input is not properly sanitized, an attacker can inject malicious code into the template, which will be executed on the server when the template is rendered.

First, we will need to identify the templating engine used, and we can refer to this chart below.

After playing with the input, we can identify that it is running Jinja2. We can also refer the the hacktricksarrow-up-right guide to identify the templating engine.

Referring to tarrow-up-righthe Jinja2 SSTIarrow-up-right guide, we are able to perform remote code execution and get the flag!

First, we will need to identify the <class 'subprocess.Popen'> offset. We can find it using the payload below to list all the subclasses

Very handy script to find the offset

After finding <class 'subprocess.Popen'> we can then utilize it to perform RCE.

hashtag
References

https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injectionarrow-up-right

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server Side Template Injection#jinja2arrow-up-right

PreviousNYP InfoSec December CTF 2022NextSelf Introduction

Last updated