Challenge - Santa's Gingerbread Factory
|
Here you can customize your absolutely fat-free gingerbread man. Note: Start your personal instance from the RESOURCES section on top. Goal / Mission: Besides the gingerbread men, there are other goodies there. Let’s see if you can get the goodie, which is stored in /flag.txt. Our personal instance was a cute little website, as seen on the right. No other services were running, just this site with a single submit form. |
|
Solution
First, we threw some data at the form to see how it would handle it. At the first non-ASCII character, just a simple “ä” for example the backend crashed and presented us a stack trace. Thats a no-no 😉
Now we were about to see how to exploit this code, but in the meanwhile @dabe found the /console endpoint. It was a python console, protected by a PIN. Whose algorithm is known, requiring access to the machine however.
Researching the from_string() method of the Jinja2 python library led to a better vulnerability, “Server Side Template Injection”, meaning remote code execution: https://www.exploit-db.com/exploits/46386.
Yes, those are the kind of things you get when you program your backend in interpreted languages. So we quickly prepared the payload (as described in the link above) and got the flag.
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/flag.txt').read() }}HV20{SST1_N0t_0NLY_H1Ts_UB3R!!!}Note that we did not follow up on the remote console. With this kind of access it would have been possible to crack the PIN or spawn our own shell. We’ll see if we missed anything when the first people get some points that we cannot explain.