Forum Discussion

CyberSharpe's avatar
CyberSharpe
Icon for Bronze III rankBronze III
24 days ago
Solved

Pen Test CTFs: Jinja2 Exploitation

Good morning Team, 

This one has my head spinning and i feel like im tickling the method but not quite pulling it off.

"Jinja2 is a templating engine for Python. It's often used with Flask web applications all over the internet. Templating engines are often vulnerable to Server-Side Template Injection (SSTI), which allows an attacker to inject a template directive as user input that could result in the execution of arbitrary code on the server.

This system has a template injection vulnerability in the registration flow. If you try to create an account with a duplicate email address, the email address is passed into the template rendering engine.

This email address can contain template syntax, allowing arbitrary code execution.

To make things more complicated, the injected value can't be longer than a certain length and must match the expected format of an email address."

I have to read the file within /data/token.txt but the strict syntax is keeping at bay. Could anyone offer some direction for this, please. 

  • Team,

    Thank you for reaching out in some manner. The lab is surprisingly straightforward.... once you understand the vulnerability. Over the past week, this has been my soul focus and what I have learnt is so valuable.

    With regards to the CTF itself, the questions truly lead you to the answer. I had most of the answers but i had to work out how to use them and for that, I had to understand them. I spent so long punished by the limited characters and adding the 'space', that I didn't even think of using the answer to 'module.function' . 

    Then it clicked. 

    What could of been a 20 minute adventure has lead to some serious research and a real sense of achievement.

    I can't say the answers were solutions but certainly honorable suggestions:

    Netcat's - 

    most likely the answer lies in question "8 What Python module and function allows you to access arguments in the query string?

    Steven's - 

    learn, how you can access the config register

    Config, Strings, Objects and Variables for the win.

Recent Discussions