This was a good beginner challenge that involved a Server-Side Template Injection vulnerability in the Flask application’s Jinja2 template engine. This vulnerability allowed access to read the contents of the applicatoin’s config object, which was where the flag for this challenge was located.
Approach
When I first opened up the web page, I was presented with a form input. I tested the level of input sanitization with a mathematical expression in double curly braces: {{2*2}}, which prints the contents in between to the template output. To better see the response from the browser, I sent my request using Burpsuite and got a positive indication of a Server-Side Template Injection vulnerability.
This was the second part of the same application, which also involved the Server-Side Template Injection Vulnerability. However, this time the flag was in the file flag.txt in the application directory, which can be accessed through remote code execution using the request object.
Approach
To achieve remote code execution, the goal was to import the os module, which can be found in request’s __builtins__ method via the __globals__ attribute.
This is my first time being a CTF author and organizer for UMassCTF. I decided to make a beginner challenge that teaches basic skills in web exploitation.
Challenge Description
You just got invited to Spongebob’s birthday! But he’s decided to test your friendship with a series of challenges before granting you with the ticket of entrance. Can you prove that you’re truly his friend and earn your entrance to this holesome birthday party?