Templated

In this first challenge I literrally waited some time because i thought that the server was initiating because of the text shown below XD

After some time I tried everything, from searching in the request for clues in the cookies or headers to inspect the HTML code. I even did a gobuster enumeration for directories but the page always returned code 200 so it was not possible.

Then i searched for the technology, Flask/Jinja2. This technology is a template engine built on top of python. Sometimes we can have situations that we can notice the piece of code generated and try to abuse that. This was a bit the case, after trying manually some endpoints i noticed that whatever i put in the endpoint it will show a 404 page with the name that i inserted in the url.

I started search for informations about a possible injection and I found this blog explaining https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/ possible payloads for the vulnerability. This vulnerability is a SSTI(Server-side Template injection). When is the user responsible for the output of the website he will abuse as much as he can so it is bad idea to let the user have that option. So i tried various things and i manage to execute a command in the os running the service.

Then i decide to see what are the files with the command "ls"

After was simple, we know that there is a flag.txt and we are root so a simple "cat flag.txt" was enough to get the flag.