TFC CTF 2023 - MCTREE

Description

• Category: Web
• Difficulty: MEDIUM
• Points: 500 → 270

Trees are cool. This literally has nothing to do with the challenge. I just like trees. It’s 2 AM and I’m tired. I’m going to bed. Goodnight.

The master of the trees shall login and win.

Resolution

We go to the website and we can register or login:

We create and account:

And we log in:

We are redirected to /flag and we can see that we are not allowed to see the flag:

We tried to create an account with username admin to access the page but it already exists.

There is an interesting piece of information in the response headers:

HTTP/1.1 200 OK
Server: Werkzeug/2.3.6 Python/3.8.17
Date: Sat, 29 Jul 2023 21:43:33 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 205
Vary: Cookie
Connection: close

The server (Werkzeug/2.3.6 Python/3.8.17) suggests that the web framework may be Flask. We can try SSTI (Server Side Template Injection)¹ since Flask uses Jinja for rendering templates.

We tried to create an user with username {{7*7}} to see how the server will interpret it. It seems that the server removes the curly braces and we registered as {{7*7}}:

We can exploit this behavior to create an admin account by using the username {{admin}}:

Now we log in as the admin but using our own password:

And we get the flag: TFCCTF{I_l1k3_dr4g0n_tr33s__Yuh!_1ts_my_f4v0r1t3_tr33_f0r_sur3!}

Additional ressources

1. SSTI (Server Side Template Injection) - HackTricks ↩