Server Side Template Injection

Hanto Dojo.

A collection of challenges about server side template injection, using Flask servers and Jinja2 templates.

I decided to make an online calculator, using the power of Flask!

Due to lingering trauma from the Python jails, I will no longer be using eval.

I heard somewhere that I can safely evaluate short expressions by rendering a template?

Of course, I will continue to share the length of the flag throughout our adventures!

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Lesson learned: context is dangerous!

Anyway, I am not a big fan of randomness.

I'll just set the secret key to the flag instead of random bytes.

Secret keys are secret, right?

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Well, that was a mistake. Back to os.urandom!

On another note, I decided to create a login system to secure the flag more safely.

Passwords are so long these days though, so I'll just check the first few characters.

Last time I checked, Flask cookies are encrypted by default.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

More lessons learned: keep cookies as slim as possible, and don't be lazy when checking passwords.

This time, I will show you your password once you're logged in.

Common sense says that you can't login as admin if you don't know the admin password. Do you agree?

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

No more users. Back to basics. Now supporting longer expressions!

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

Integers only.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

In this house, we prefer parentheses over square brackets. Also, death to underscores!

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

My faith in template rendering to safely evaluate expressions has been forever shattered.

I'll just do it myself then. Back to eval I go!

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

This calculator is powered by coffee.

Connect with SSH

Link your SSH key, then connect with: ssh hacker@pwn.college

30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank		Hacker	Badges		Score