Recently Updated
Web Exploitation 350: Flaskcards
Challenge
We found this fishy website for flashcards that we think may be sending secrets. Could you take a look?
Solution
The site lets us create flashcards with answers.
After some googling, we find out this might be vulnerable to SSTI (server side template injection) attacks. We verify this by entering {{7*'7'}}
as a card’s question or answer field, and indeed it outputs 7777777
Next we try to do something more interesting, we enter ``:
which gets us the flag:
Flag
picoCTF{secret_keys_to_the_kingdom_e8a55760}