Shark with a twist.
CTF{d40de1849fdcdc50b34e23b5acb874aabd8c106c43d837f1d42b12336a51dee0}
SSTI using Mako and bypassing blacklist
This challenge had a blacklist. Not only were we not allowed to use certain words, but <, > and others were being escaped. We had to get creative.
I tried a bunch of things like getting the pageargs:
Payload: name=${pageargs}
And we got:
Hello {'data': 'world'}!
But that didn’t help out much. I then started searching online for some vulnerabilities in Mako. I found this:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server Side Template Injection/README.md#mako
${self.module.cache.util.os.system("id")}
${self.module.runtime.util.os.system("id")}
...
However, I could not use ' or " in my payload, as it got escaped. I remembered that Python has the function chr. I used this to my advantage and created the following payload: