SUSCTF 2022 - web/HTML practice

[aszx87410]

After playing around for a while, we found that some characters are blocked, including: $*_+[]"'/%

Also, we found that % will make server returns internal server error, and ## works like comment.

It looks like a SSTI challenge, so we need to find what is the template behind it. In order to get more information, I try to randomly send invalid to the server, like this: POST generate HTTP/1.1, and luckily server responds with:

HTTP/1.1 400 Bad Request
Content-Length: 133
Content-Type: text/plain

Invalid path in Request-URI: request-target must contain origin-form which starts with absolute-path (URI starting with a slash "/").

I searched for this text, found this https://github.com/cherrypy/cheroot/blob/master/cheroot/server.py#L900 and then this python web framework: CherryPy.

After looked at the docs, this part gets my attention:

CherryPy does not provide any HTML template but its architecture makes it easy to integrate one. Popular ones are Mako or Jinja2.

I checked Mako and it uses <% %> and ## as comment, my teammate use this loop to confirm it's Mako:

% for a in (1,2,3):
    1
% endfor

The SSTI payload we found on the internet are all about <% %> and ${}, but %> and $ are both blocked, what should we do?

The answer might be simple but took us some times to discover:

% for a in (self.module.cache.util.os.system(name),2,3):
    1
% endfor

% block can also run python code, and we can leverage os.system and name parameters to run command.

At first, I tried to send a request to my server but failed. Suddenly, I remembered that in the home page it said the template is stored at ./templates, so I created a file and tried to read it, success!

In the end, we used this payload cat /flag > ./template/huli.html and read the file from http://124.71.178.252/view/huli.html