# Web Labs Intermediate

## SSTI

We end up on this page

![form](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-0411dd998e1792c007b725613a63a08012e44668%2F2023-06-18-10-54-10.png?alt=media)

* If we enter `{{` we get an exception

![Exception](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-c6abbaffa79d053f020fe1c0eeb59ff999700b31%2F2023-06-18-11-01-11.png?alt=media)

* Let's find out which template it uses using James Kettle tree (see more details about this [here](https://csbygb.gitbook.io/pentips/web-pentesting/webvulns/template-injection))
* This one `{{7*7}}` evaluates

![evaluates](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-7c6936113421aff5162f617ea15f1f7f1dec6521%2F2023-06-18-11-03-50.png?alt=media)

However this `{{7*'7'}}` seems to reveal that some char are filtered

![filter](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-712b91c93fff16f4909f7818a1020adbe5b859ef%2F2023-06-18-11-04-57.png?alt=media)

If we use double quotes instead it works `{{7*"7"}}`

![double quotes](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-4aa41dfa80f83a882f981d0d98006fa352f9ef2d%2F2023-06-18-11-08-12.png?alt=media)

According to the tree it can be Jinja2 or Twig

As we have a header leaking the Python version, the template should be Jinja2 as it is based on python

![python version](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-43e2934dcb1153e1eafaae31c028351acbf29c3f%2F2023-06-18-12-27-04.png?alt=media)

* let's try to find the config `{{config}}`

![config](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-835c5e216cffce79b95b0364616603b3983254eb%2F2023-06-18-12-38-07.png?alt=media)

We get the flag here but it seems encoded. If we use burpsuite and decode it as ASCII hex, we get the flag!

![decode](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-51b54c22268341e38f5faf097fc11fbed5b034bc%2F2023-06-18-12-42-21.png?alt=media)