Web: A personalised thank you

Challenge Description

Thank you for your feedback { name }

Flag is in /flag.txt

Preliminary Knowledge

About Jinja2

Before elaborating further, it is important to understand what Jinja2 is capable of. By design, Jinja2 allows developers to implement dynamic content in HTML using expressions like {{ myvariable }}, known as templates.

These templates have access to Python objects and functions. Without proper sanitization, an attacker can inject their own expressions, which get evaluated on the server.

TL;DR: If input is not sanitized, you can execute Python code through Jinja2 templates.

Approach

This challenge requires us to follow an approach that needs us to use Server-Side Template Injection (SSTI)

The hint in the clue being { name }. Also, inspecting the code reveals that the backend is using Flask, which uses the Jinja2 template engine.

Knowing this, we can test whether the form is vulnerable by injecting the following

{{7*7}}

into the name field. After submitting the form, the page returns:

49 

this confirms that user input is being rendered directly inside a template, making it susceptible to SSTI.

Now that we have confirmed that SSTI exists, we can move on to exploiting it to read sensitive files on the server. In this challenge, the flag is stored in /flag.txt.

Using Jinja2’s access to Python we can craft a payload like the following:

{{config.__class__.__init__.__globals__['os'].popen('cat /flag.txt').read()}}

Submitting this in the name field gives us our flag for the challenge:

RISC{y0ur_f33db4ck_1snt_p4rt1cul4rly_s4f3!_e85dae1c0b362b4c7019905ca3a56ecf}