X-MAS 2019 CTF write-up (Mercenary Hat Factory) SSTI

Mohamed Slamat
Dec 20, 2019 · 4 min read

X-MAS CTF is a Capture The Flag competition organized by HTsP.

In this article we will try to explain Mercenary Hat Factory solution

Image for post
Image for post

i)- Reading & Analysing the given code

server.py

The objective is exploiting SSTI (server side template injection) Flask/Jinja2 ,

ii)-Level 1 ( JWT )

After registering and opening our account

Image for post
Image for post

we get jwt with HS256 algorithm stored in cookies, decode with jwt.io & you get this payload :

now let’s change user role to admin using none algorithm by jwt library in python:

Image for post
Image for post

iii)-Level 2 ( adminPrivileges )

As we saw in code we have to be from authorizedAdmin list, so we have to bypass this line :

So how to get Santasecret !?, the answer is NO WE DON’T HAVE TO

the adminPrivileges is created by this way

adminPrivileges = [[None]*3]*500

A list of 500 element and each element is a list of three element None, since he use * to create lists, n dimension array .

So whatever the uid value is, the data will affected to all adminPrivileges[uid] and this includes 0 i mean Santa :) .

In conclusion, you just need to post OUR SANTA SECRET in step1 in privilegeCode & post the full accessCode is step 2 which contain your uid + your username + OUR SANTA SECRET*2

Curl do the matter :

And now we are in level 2

Image for post
Image for post

iii)-Bypassing filters (SSTI)

Before we start injecting we have this instruction in code :

beside authorizedAdmin we need to add our password in payload and encode it again

Finally we can talk about SSTI and Filters …

Testing : {{13*37}}

Image for post
Image for post

It’s infected, now lets try to listing all classes from object class :

Image for post
Image for post

“Error: That’s a hella weird Hat Name, maggot.” because of filters

So filtering list of post parameter hatName is :

Now, let’s bypass them all by attr() and python escape characters

So our payload will be :

Image for post
Image for post

It’s clear that the useful classes are :

In my case, i can’t do anything with warnings.WarningMessage and warnings.catch_warnings .

For subprocess.Popen, popen require 2 comma but since the code have special condition (no more then 1 comma in payload)

We will focusing on os._wrap_close class because he have access to os module functions, by this way we can find our track to gain os shell

Image for post
Image for post

As we see, here’s functions list and our interest is on ‘ system’,’popen’,

in my case system() won’t work, so lets use popen() and run those command to see what’s going on : uname -a ;id;ls -la .

Since is bash shell we can bypass space with ${IFS}

Output :

Image for post
Image for post

Now the flag show, since it is binary file we have to encode then read it so base64 is do our matter but don’t forget _ is banned(‘unusual\x5fflag.mp4’):

Image for post
Image for post

After decoding, we get file of type:

and media application can’t run it, so i convert it using ffmpeg

ffmpeg -i flag2.mp4 -c copy -map 0 -brand mp42 factory.mp4 

and BINGOO !

Image for post
Image for post

Video contain the flag :

X-MAX{W3lc0m3_70_7h3_h4t_f4ct0ry__w3ve_g0t_unusu4l_h4ts_90d81c091da}

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Mohamed Slamat

Written by

b’Drink all the milk; eat all the cookies\n’

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Mohamed Slamat

Written by

b’Drink all the milk; eat all the cookies\n’

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium