Pen Test CTFs: Jinja2 Exploitation

Good morning Team,

This one has my head spinning and i feel like im tickling the method but not quite pulling it off.

"Jinja2 is a templating engine for Python. It's often used with Flask web applications all over the internet. Templating engines are often vulnerable to Server-Side Template Injection (SSTI), which allows an attacker to inject a template directive as user input that could result in the execution of arbitrary code on the server.

This system has a template injection vulnerability in the registration flow. If you try to create an account with a duplicate email address, the email address is passed into the template rendering engine.

This email address can contain template syntax, allowing arbitrary code execution.

To make things more complicated, the injected value can't be longer than a certain length and must match the expected format of an email address."

I have to read the file within /data/token.txt but the strict syntax is keeping at bay. Could anyone offer some direction for this, please.

offensive cyber

CyberSharpe
18 days ago
Team,

Thank you for reaching out in some manner. The lab is surprisingly straightforward.... once you understand the vulnerability. Over the past week, this has been my soul focus and what I have learnt is so valuable.

With regards to the CTF itself, the questions truly lead you to the answer. I had most of the answers but i had to work out how to use them and for that, I had to understand them. I spent so long punished by the limited characters and adding the 'space', that I didn't even think of using the answer to 'module.function' .

Then it clicked.
What could of been a 20 minute adventure has lead to some serious research and a real sense of achievement.

I can't say the answers were solutions but certainly honorable suggestions:
Netcat's -
most likely the answer lies in question "8 What Python module and function allows you to access arguments in the query string?
Steven's -
learn, how you can access the config register
Config, Strings, Objects and Variables for the win.

8 Replies

netcat
Silver II
23 days ago
While I didn't solve it, most likely the answer lies in question "8 What Python module and function allows you to access arguments in the query string?". There you are not limited in the syntax, but if it was that easy I would have solved it.
- CyberSharpe
  Bronze III
  23 days ago
  It is a cheeky one.
  Without giving the answer up ive ran through everything using this module.funct but because of the strict email template i cant get much further. i can get it to reflect but not render/process anything.
  Email rules and 50 max characters has me stumped.
  - netcat
    Silver II
    20 days ago
    Just solved my first PenTest lab. And I think it's impossible to give more hints, without revealing the solution. Maybe...as I already guessed, the questions in the lab point you to some things that are needed to complete the last question, but not to the solution itself. It's time to try and experiment.
steven
Silver I
23 days ago
puuuh... hard to tell you, without telling you :)
what will help you is for sure: google for jinja2 template exploits. learn, how you can access the config register, etc.
later you'll find out that you'll be limited (see Q2) and find a way around the issue.
here's my linklist what I've read to solve this lab:
https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/
https://jinja.palletsprojects.com/en/stable/templates/#escaping
https://anakint.medium.com/digital-overdose-2021-autumn-ctf-writeup-madlib-web-c51c5ded5260
https://wassila-chtioui.com/post/yogosha-ctf23/
http://167.86.82.176/yogosha_christmas_2023/
https://def.camp/wp-content/uploads/dc2023/Remi%20Gascou.pdf
https://blog.quentinra.dev/cybersecurity/red-team/s3.exploitation/vulns/injection/ssti.md
https://niebardzo.github.io/2020-11-23-exploiting-jinja-ssti/
https://forum.hackthebox.com/t/jinja2-ssti-filter-bypass-help-needed/3482/11
This might give you some indications, how to tacke the lab.
netcat
Silver II
18 days ago
There's also another Jinja2 lab, where you're not limited in lenght, i.e. you can try out much more. Ofc I discovered this only after finishing this lab. It's "Server-Side Template Injection: Ep.3 – SSTI in Jinja2 Templates". Once you have solved this, start squeezing out as many characters of that command.
- CyberSharpe
  Bronze III
  18 days ago
  I should of thought of that.
netcat
Silver II
17 days ago
...and if you wanna dig deeper: There's no need to access the query string to solve it. It's just a 'little' bit harder.
CyberSharpe
Bronze III
18 days ago
Team,

Thank you for reaching out in some manner. The lab is surprisingly straightforward.... once you understand the vulnerability. Over the past week, this has been my soul focus and what I have learnt is so valuable.

With regards to the CTF itself, the questions truly lead you to the answer. I had most of the answers but i had to work out how to use them and for that, I had to understand them. I spent so long punished by the limited characters and adding the 'space', that I didn't even think of using the answer to 'module.function' .

Then it clicked.
What could of been a 20 minute adventure has lead to some serious research and a real sense of achievement.

I can't say the answers were solutions but certainly honorable suggestions:
Netcat's -
most likely the answer lies in question "8 What Python module and function allows you to access arguments in the query string?
Steven's -
learn, how you can access the config register
Config, Strings, Objects and Variables for the win.

Forum Discussion

Pen Test CTFs: Jinja2 Exploitation

8 Replies

Featured Places

Help & Support Forum

Related Content

Cross-Site Scripting: Ep.6 – Further Exploitation

Pen Test CTFs: Immersive Code Q4

Human Connection Challenge: Season 1 – Web Exploitation - XSS

Re: Cross-Site Scripting: Ep.6 – Further Exploitation

Human Connection Challenge: Season 1 – Web Exploitation

Recent Discussions

"Git Security: SSH Keys" lab Question 4

APT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance

Web App Hacking Lab

Autopsy Ep 3: Tags, Comments and Reports

Incident Response