TokyoWesterns CTF 4th 2018 Writeup — Part 3
06/09/2018 20:32 PM UTC+2
Obviously, in this blog i will talk about an important vulnerability; Server-Side Template Injection (SSTI) and i recommand you to read this one to understand it as well.
Shrine — 193pts
Challenge: shrine
05/09/2018 07:06 AM UTC+2
When i’m reversing dec dec dec challenge, my teammate shared a python script of one challenge called Shrine telling us that he is working on this one. Seems this is app.py of web application created by using python in back-end.
I checked it faster and noticed that this application is based on Python Flask Framework, the first thing i thought about is Server-Side Template Injection (SSTI) Vulnerability.
As you see in app.py above; there is safe_jinja function with two filters. We have to bypass it to get in config or self as two blacklisted files. With two filtered symbols “(” and “)”.
So as summary of our mission is that we have to bypass in two steps: “()” and blacklisted config and self in order to get in config or self themselves finally.
Actually, I solved a set of challenges like this one and has same context, and i wrote one good and rich writeup about similar task but without filtered config or self, will find it in AngstromCTF 2018 WEB Writeups — Part 2.
Let’s follow The High Level Methodology to Capture an efficient Attack Process then apply it in this SSTI Attack!
1. Detect
As you see in app.py above; there is an interesting route:
@app.route('/shrine/<path:shrine>')Let’s follow it:
Let’s try to detect SSTI Vulnerability by injecting {{9*9}} in <path:shrine>:
Yay … As you see i got 81 as result, so it’s executed by server and finally maked the error out!
Meanwhile, Server-Side Flask Template Injection (SSTI) Vulnerability has been detected.
2. Identify
As you see above in app.py; this template engine is Jinja2.
Meanwhile, Server-Side Flask Jinja2 Template Injection (SSTI) Vulnerability has been identified.
3. Exploit
I based my exploit on this one:
If you try getting into config or self directlly will not find anything interesting because these is blacklisted.
http://shrine.chal.ctf.westerns.tokyo/shrine/{{config}}
http://shrine.chal.ctf.westerns.tokyo/shrine/{{self}}
For more informations read it too:
So the idea is to get in config or self by using another method in order to bypass it as blacklisted functions. The first thing i thought about is to use subclasses and attributes until get in config, and to do that i have to list functions and attributes. After a while my friend found an interesting function:
http://shrine.chal.ctf.westerns.tokyo/shrine/{{request.environ}}
But there is nothing interesting to help. I tried to find something new by searching about new subclasses then i discovered that’s using limited bytes to inject in this directory and that there is a possibility to inject html tags. Injected some html tags and XSSed it finally!
Exploited this XSS to show my picture but it was not the goal of this challenge, I did it just for fun.
Here is XSS payload which i injected to get XSS:
<html><img%20src=https://goo.gl/PCGz59%20width=100%%60hight=100%%20onerror=confirm></html>
I called my teammate @tnmch to enjoy this challenge by injecting this template above his picture with fun XD !!
Let’s enjoy injecting this template above my picture with fun ^^ !!
http://shrine.chal.ctf.westerns.tokyo/shrine/%7B%7B'hello%20tnmch'~'%20'~191*7%7D%7D%3Chtml%3E%3Cimg%20src=https://goo.gl/PCGz59%20width=100%%60highth=100%%20onerror=confirm(String.fromCharCode(88,83,83))%3E%3C/html%3ELet’s back to our exploitation of this template injection. After long time of trying without any interesting result, I just tried to read about all Flask functions and objects, found an interesting one called url_for(). By the way In templates you have access to the config, request, session, and g objects, and the url_for() and get_flashed_messages() functions.
I tried them one by one till got all global variables of url_for() function by using __globals__ attribute.
http://shrine.chal.ctf.westerns.tokyo/shrine/{{url_for.__globals__}}
After (CTRL+F)ed “Flask” word i just found an interesting variable called: current_app.
Let’s try to get access into current_app:
http://shrine.chal.ctf.westerns.tokyo/shrine/{{url_for.__globals__.current_app}}
It means that we are in the application app.py again, so let’s try to get in config now!
http://shrine.chal.ctf.westerns.tokyo/shrine/{{url_for.__globals__.current_app.config}}
Yay … We just got access into config by using url_for() attributes instead to access into config directlly because it gaves None as result because it’s blacklisted and filtered in app.py and also without using “()” because it’s filtered too in app.py.
Our goal is to get access into config or self in order to find flag, as shown above the flag is really stored in config.
FLAG is: TWCTF{pray_f0r_sacred_jinja2}
I would like to thank very much author of this challenge especially and TokyoWesterns Team generally. This task was very educational about one of strong vulnerabilities. I hope that my writeup will help everyone read it, here is the fourth part of this writeup if you are looking for read more …
