SSTI1

Description: I made a cool website where you can announce whatever you want! Try it out! I heard templating is a cool and modular way to build web apps! Check out my website here!
Difficulty: Easy

🔎 Solution

This challenge revolves around exploiting a Server-Side Template Injection (SSTI) vulnerability. SSTI occurs when user supplied input is embedded directly into server-side templates without proper sanitization. Many web frameworks (like Flask with Jinja2, Django,...) use templating engines to render dynamic content. When templates evaluate input as actual code instead of plain text, attackers can inject malicious payloads that get executed on the server. In severe cases, this leads to Remote Code Execution (RCE).

The web application presented here is a simple announcement page. On the main page, users are prompted to enter a message, and upon submission, the site echoes the input back. But the real question is - does it actually return exactly what we input?

To test this, I submitted the classic SSTI payload:

{{7*7}}

Instead of displaying the literal string {{7*7}}, the page rendered 49

This confirms the presence of an SSTI vulnerability, as the server evaluated the expression within double curly braces.
Next, I crafted a more advanced payload to test command execution:

{{ config.__class__.__init__.__globals__['os'].popen('ls').read() }}

The result displayed the output of the ls command on the server, revealing the following files:

This means we now have the ability to execute arbitrary shell commands on the server. And just like that - the contents of the flag file were returned, completing the challenge. To retrieve the flag, I modified the payload as follows:

{{ config.__class__.__init__.__globals__['os'].popen('cat flag').read() }}

And just like that - the contents of the flag file were returned, completing the challenge.

🚩Flag

picoCTF{s4rv3r_s1d3_t3mp14t3_1nj3ct10n5_4r3_c001_3066c7bd}

🔎 Solution​

🚩Flag​

🔎 Solution

🚩Flag