A Web application wirtten in python using flask, jinja templates, redis and sqlite.
- Navigate to service/src/
- Install requirements using "pip install -r requirements.txt"
- Run application using python3 "python main.py"
- Navigate to localhost in your browser (port 80)
Generating plantes' IDs is possible since it doesn't require secret value
Tickets are validated through given binary.
This exploit is provided in "/exploits/reverse-engi-exploit.py"
Tickets are big primenumbers >999.999.999 in negative value. The planet name Parameter is given to the jinja template using %s formatter, and name is validated if it is contained in the parameter given through the url.
Example:
Navigating to "http://localhost/planet_details?name=SAM23" will give back the first matching planet that its name is contained in the string "SAM23".
Appending dopple curly braces to the planet name will return the name and whatever the return value of the python script included inside the dobble curly braces.
The easiest possilbe exploit is to append "{{planet.flag}}" to the name:
"http://localhost/planet_details?name=SAM23{{planet.flag}}"
This will return the flag appended to the name. Read here for a write up of the service played in the Enowars3 2019 CTF.
Interesting is how the Team could manage to run unintended Remote Code Execution out of the Templete injection Vulnerability.