Web Labs Intermediate

SSTI

We end up on this page

form

• If we enter {{ we get an exception

Exception

• Let's find out which template it uses using James Kettle tree (see more details about this here)
• This one {{7*7}} evaluates

evaluates

However this {{7*'7'}} seems to reveal that some char are filtered

filter

If we use double quotes instead it works {{7*"7"}}

double quotes

According to the tree it can be Jinja2 or Twig

As we have a header leaking the Python version, the template should be Jinja2 as it is based on python

python version

• let's try to find the config {{config}}

config

We get the flag here but it seems encoded. If we use burpsuite and decode it as ASCII hex, we get the flag!

decode