Forum Discussion
Silver IPen Test CTFs: Jinja2 Exploitation
Good morning Team,
This one has my head spinning and i feel like im tickling the method but not quite pulling it off.
"Jinja2 is a templating engine for Python. It's often used with Flask web applications all over the internet. Templating engines are often vulnerable to Server-Side Template Injection (SSTI), which allows an attacker to inject a template directive as user input that could result in the execution of arbitrary code on the server.
This system has a template injection vulnerability in the registration flow. If you try to create an account with a duplicate email address, the email address is passed into the template rendering engine.
This email address can contain template syntax, allowing arbitrary code execution.
To make things more complicated, the injected value can't be longer than a certain length and must match the expected format of an email address."
I have to read the file within /data/token.txt but the strict syntax is keeping at bay. Could anyone offer some direction for this, please.
Team,
Thank you for reaching out in some manner. The lab is surprisingly straightforward.... once you understand the vulnerability. Over the past week, this has been my soul focus and what I have learnt is so valuable.
With regards to the CTF itself, the questions truly lead you to the answer. I had most of the answers but i had to work out how to use them and for that, I had to understand them. I spent so long punished by the limited characters and adding the 'space', that I didn't even think of using the answer to 'module.function' .
Then it clicked.What could of been a 20 minute adventure has lead to some serious research and a real sense of achievement.
I can't say the answers were solutions but certainly honorable suggestions:Netcat's -
most likely the answer lies in question "8 What Python module and function allows you to access arguments in the query string?
Steven's -
learn, how you can access the config register
Config, Strings, Objects and Variables for the win.
8 Replies
- netcat
Silver III
While I didn't solve it, most likely the answer lies in question "8 What Python module and function allows you to access arguments in the query string?". There you are not limited in the syntax, but if it was that easy I would have solved it.
- CyberSharpe
It is a cheeky one.
Without giving the answer up ive ran through everything using this module.funct but because of the strict email template i cant get much further. i can get it to reflect but not render/process anything.
Email rules and 50 max characters has me stumped.
- netcat
Just solved my first PenTest lab. And I think it's impossible to give more hints, without revealing the solution. Maybe...as I already guessed, the questions in the lab point you to some things that are needed to complete the last question, but not to the solution itself. It's time to try and experiment.
- steven
Silver II
puuuh... hard to tell you, without telling you :)
what will help you is for sure: google for jinja2 template exploits. learn, how you can access the config register, etc.later you'll find out that you'll be limited (see Q2) and find a way around the issue.
here's my linklist what I've read to solve this lab:
- https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/
- https://jinja.palletsprojects.com/en/stable/templates/#escaping
- https://anakint.medium.com/digital-overdose-2021-autumn-ctf-writeup-madlib-web-c51c5ded5260
- https://wassila-chtioui.com/post/yogosha-ctf23/
- http://167.86.82.176/yogosha_christmas_2023/
- https://def.camp/wp-content/uploads/dc2023/Remi%20Gascou.pdf
- https://blog.quentinra.dev/cybersecurity/red-team/s3.exploitation/vulns/injection/ssti.md
- https://niebardzo.github.io/2020-11-23-exploiting-jinja-ssti/
- https://forum.hackthebox.com/t/jinja2-ssti-filter-bypass-help-needed/3482/11
This might give you some indications, how to tacke the lab.
- netcat
There's also another Jinja2 lab, where you're not limited in lenght, i.e. you can try out much more. Ofc I discovered this only after finishing this lab. It's "Server-Side Template Injection: Ep.3 – SSTI in Jinja2 Templates". Once you have solved this, start squeezing out as many characters of that command.
- CyberSharpe
I should of thought of that.
- netcat
...and if you wanna dig deeper: There's no need to access the query string to solve it. It's just a 'little' bit harder.
- CyberSharpe
Team,
Thank you for reaching out in some manner. The lab is surprisingly straightforward.... once you understand the vulnerability. Over the past week, this has been my soul focus and what I have learnt is so valuable.
With regards to the CTF itself, the questions truly lead you to the answer. I had most of the answers but i had to work out how to use them and for that, I had to understand them. I spent so long punished by the limited characters and adding the 'space', that I didn't even think of using the answer to 'module.function' .
Then it clicked.What could of been a 20 minute adventure has lead to some serious research and a real sense of achievement.
I can't say the answers were solutions but certainly honorable suggestions:Netcat's -
most likely the answer lies in question "8 What Python module and function allows you to access arguments in the query string?
Steven's -
learn, how you can access the config register
Config, Strings, Objects and Variables for the win.
