[Web] CSAW - Shia Labeouf-off

Web
Shia Labeouf-off!

Do it

Just do it

Don’t let your dreams be dreams

Yesterday you said tomorrow

So just do it

Make your dreams come true

Just do it

Pick 1: http://web.chal.csaw.io:5487 http://web.chal.csaw.io:5488 http://web.chal.csaw.io:5489 http://web.chal.csaw.io:5490

First of all great shout outs to CSAW for publishing a django challenge, even if it wasn’t a very hard one it was fun to do it.
Now going to the challenge, we know we have django debug mode enabled so lets try to generate some errors in the available webpages to see if we can leak some source code for example if we give an id in polls url we generate an exception:

If we scroll down a little bit and check those hidden tabs, we can find some leaked source code!

We have some nice custom made template filter tags! in django you can create custom tags and use it on templates, we have a function that lists the attributes(listme) of a python object one that gets attributes(getme):

@register.filter(name='getme')
def getme(value, arg):
  return getattr(value, arg)

@register.filter(name='checknum')
def checknum(value):
  check(value)
@register.filter(name='listme')
def listme(value):
  return dir(value)

def check(value):
  if value > 2:
    raise Exception("Our infrastructure can't support that many Shias!")

Now we need to find a Server-Side Template Injection (SSTI) so we can use this useful filters we can inject code with:

{% expressions %}
{{ arg1|filter:arg2 }}

we can find one at http://web.chal.csaw.io:5490/ad-lib/ lets try to see the contents of debug variable:

Query

Results

Yap it works! the global debug leak alot of variables, mrpoopy object is interesting! lets check its attributes with the filter listme

Query

Response

The flag must be in flag!! we need now to get this attribute with getme filter!

Query

Response