Forum Discussion

Bronze III

4 days ago

Pen Test CTFs: Jinja2 Exploitation

Good morning Team, This one has my head spinning and i feel like im tickling the method but not quite pulling it off. "Jinja2 is a templating engine for Python. It's often used with Flask web ap...

offensive cyber

steven

Silver I

3 days ago

puuuh... hard to tell you, without telling you :)
what will help you is for sure: google for jinja2 template exploits. learn, how you can access the config register, etc.

later you'll find out that you'll be limited (see Q2) and find a way around the issue.

here's my linklist what I've read to solve this lab:

https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/
https://jinja.palletsprojects.com/en/stable/templates/#escaping
https://anakint.medium.com/digital-overdose-2021-autumn-ctf-writeup-madlib-web-c51c5ded5260
https://wassila-chtioui.com/post/yogosha-ctf23/
http://167.86.82.176/yogosha_christmas_2023/
https://def.camp/wp-content/uploads/dc2023/Remi%20Gascou.pdf
https://blog.quentinra.dev/cybersecurity/red-team/s3.exploitation/vulns/injection/ssti.md
https://niebardzo.github.io/2020-11-23-exploiting-jinja-ssti/
https://forum.hackthebox.com/t/jinja2-ssti-filter-bypass-help-needed/3482/11

This might give you some indications, how to tacke the lab.

Forum Discussion

Pen Test CTFs: Jinja2 Exploitation

Featured Places

Help & Support Forum

Related Content

Cross-Site Scripting: Ep.6 – Further Exploitation

Pen Test CTFs: Immersive Code Q4

Human Connection Challenge: Season 1 – Web Exploitation - XSS

Re: Cross-Site Scripting: Ep.6 – Further Exploitation

Human Connection Challenge: Season 1 – Web Exploitation

Recent Discussions

DDOS Analysis: UDP Flood (Question 8)

Weaponization: Payloads – Obfuscation Using PowerShell

AWS Security Hub: Integrations and Custom Actions

Windows Basics: Ep.3 – Registry Roadblock

Discovery: Enumeration Scripts – Part 1