Tags: web 


## 1. Secret provider (Web)
### 1. Challenge description
I will provide you a secret for next level security.

Note: Flag is located in etc directory

Author : x3rz

### 2. Solution
1. When you goto the challenge site, you are greeted with a page having a single textbox. Any string you enter will be base64 decoded and printed back on the page.


2. Since the string is passed to the backend through GET requests, I initially thought that this must be a directory traversal attack. But it wasn't the case.
3. Since the website uses the python flask framework, we can try the server side template injection attack. First we have to check if the site actually uses a templating engine. For this we can try payloads from the [swisskey github repo](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#tools).
4. First convert the payload "{{4\*4}}" into base64 and enter it into the site. We get the result as 16, that means the site probably uses the jinja2 templating engine.
5. Now to get the flag, we need to read the file contents. For this I encoded the payload "{{ self.\_TemplateReference__context.cycler.__init__.__globals__.os.popen('strings /etc/flag.txt').read() }}" and passed it into the textbox. This prints the flag on the webpage.
6. Flag: wormcom{55T1_15r311y50m3th1g_1y2v4ugu}

Original writeup (https://github.com/gum3ng/ctf_writeups/blob/main/wormcon/wormcon.md).
Mam@d0s3cSept. 6, 2021, 8:11 p.m.

This write-up includes only the solution of "secret provider" not the "secure redirect" challenge.