Injection

Giving it any input sends us to a page that says

Oops! Page login doesn't exist :(

Testing the url, I noticed that it’s getting reflected

/<u>memes</u>

Using the title of the challenge as a hint, I tried Server Side Template Injection

/

Kicks back

Oops! Page 49 doesn't exist :(

Going through the normal tests, I landed on `` which kicked back 7777777 and confirms that it’s Jinja2.

Reading: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection

Using this payload

Grants us RCE. (${IFS} acts as a space character)

Sending the request in BurpSuite, we can see the contents of our current directory

Inside the lib/ directory we have an odd script

Catting it out with .popen('cat${IFS}lib/security.py')

Let’s clean it up

valid_password = 'QfsFjdz81cx8Fd1Bnbx8lczMXdfxGb0snZ0NGZ'
return base64.b64encode(password.encode('ascii')).decode('ascii')[::-1].lstrip('=') == valid_password

Basically it’s going to take in a value, base64 encode it, reverse it and strip away any padding (‘=’ characters)

Knowing that, we can reverse the valid_password variable and add padding to it as needed to get a “valid password”

This is the quick script I used

import base64
 
print(base64.b64decode('==QfsFjdz81cx8Fd1Bnbx8lczMXdfxGb0snZ0NGZ'[::-1]))

Oh, it’s the flag!