 What's up, everybody? My name is John Hammond, and welcome back to some more Pico CTF 2018. This challenge is called Flask Cards. It's worth 350 points in the Web Exploitation category, and it is the first in a series of CTF challenges that are kind of my favorite, especially from this Pico CTF game, because I think this is a really cool, I guess, attack and technique on some kind of software and technology that I really like and really love, because this is Flask in Python. I've got a video series on some of it, although it's not that good, admittedly. It's nowhere near what it should be, it's nowhere near done, but I digress. The challenge prompt here says that we found this fishy website for Flask Cards that we think may be sending some secrets. Can you take a look? So let's open up this website in a new tab here for us as soon as it loads. Cool. All right, so looks like we are given a simple welcome page. Home in the navigation and just register and log in. Wants us to log in, but we don't have an account yet, so I suppose we're going to have to register. Slow connections again. Don't know what that's doing for. So let's create a username. Please subscribe. Password can be anything. Okay. Wow, that's rude. Please sub. Nope. Scriby. That's what I wanted. That's all my other testing accounts that I've been trying to do here. Please subscribe. Cool. All right, so now that we're logged in, the navigation has changed. We have home still, still nothing though. Just kind of a dashboard here. Admin page seems to not really do anything. Just tell us and say to us, you are not an admin. All right, let's move on. Please subscribe. Nothing in the actual specific user account page. So let's go ahead and try and create a card. Looks like that is the only function on it that we have right here. And then we can probably list cards following that. So we're given a question. Okay. Will you please subscribe? Answer no. Let's be realistic here, right? So check out list cards. Looks like that will be able to view them or everything that we've created. It says question. Will you please subscribe? Answer looks like there's nothing there. Okay, peculiar. If you wanted to at this point, you could take a look at the hints. And if you don't entirely know what the reference and what this challenge is getting at with the name here, maybe that's a good idea. The hints say, are there any common vulnerabilities with the backend of the website? Is there anywhere that filtering doesn't get applied? The database gets over over two hours, so your session might end in express. Okay, whatever. That one doesn't matter. What we're going to be concerning ourselves with is the backend technology, right? And we can assume that, okay, this is Flask. This is Python little micro framework for developing web applications. It's Flask and Python. And if you haven't seen this before, it's super cool. It's awesome. I love it a lot. Their latest version like 1.0 is now a thing. And it's kind of more than what I'm used to because I was used to the like sub 1.0 version. And then I got a review. But all right, Flask. We want to know if there are any vulnerabilities for this thing now, right? So let's just simply Google Flask vulnerabilities. First article or first result is injecting Flask in an Invisium blog post. So let's open that up. It says, we're going to discuss some of the security features available in potential issues with Flask with respect to server-side template injection. Okay, cross-site scripting and HTML applications, subset of XSS, HTML attributes. Sorry, the Discord notification popped up. And then I was like, whoa, totally distracted. All right, got that removed. So let's talk about injection, right? Let's talk about the server-side template injection because that's a big vulnerability. For presentation, Flask takes advantage of the Jinja 2 engine and that templating engine. If you haven't seen it before, again, really neat thing. Uses some logic stuff with curly braces and percent signs, or just displays variables with two curly braces. Again, beginning and ending. So we can take advantage of that if we are in a vulnerable system or vulnerable service, right? And they go through some examples here with a little bit confusing code from what it really needs to be, I think. But what they're trying to do is render a template as a string, and that string is using some input or a variable that's being formatted into it that isn't particularly being sanitized. So normally you just would simply use render template, and that's kind of a smarter way to give it an HTML file or something. But if you use it simply a render template string and then have unsanitized input into it, then maybe we can take advantage of stuff. So it looks like they're actually trying it out with a variable here, person.secret. Looks like they're trying to do some local file inclusion with a get user file function call. We don't know any of these variables though. We don't know if it's maybe a card or a card thing. So maybe there are some other kind of globals or kind of configuration variables that we could be able to take advantage of. Let's say SSTI to kind of narrow our scope or server-side template injection. Okay, so port swigger has a cool, excuse me, a very, very interesting article on this that actually should cover the actual vulnerability that we're going to see here. But again, we could test this, right, if we tried our own multiplication here. Let's try and use the example payload that they're using, which is trying to multiply numbers. If I were to create a card with the question 7 times 7, all inside those curly braces here, and I'll post that as an answer, we can list cards, and that should be evaluated now, to 49. Okay, great. So it looks like we have proved, and we've taken advantage of that SSTI or server-side template injection. We know that that's happening. Now, what can we leak out of here? What interesting things can we do? Well, we can get variables, right? I want to see if they actually showcase what we're going to go for in this. And it doesn't look like there's a quick and easy pointer to it. So that's fine. We'll just change our query and search again. So Flask SSTI cheat sheet. Okay, cool. Looks like this covers a little bit in regards to the Tokyo Western CTF. Explains just kind of the bare bones basics of this vulnerability exploit. Again, just abusing Jinja, the templating engine, and Flask taking advantage of how it would render variables and trying to determine whether or not we will actually see inputs or see our input as evaluated Python code. So you can actually take advantage of this in a much more dangerous way, taking advantage of the MRO and looking at other objects in Python. And we'll do that in one of the later challenges. But for this one, it's actually pretty simple. All we need to take a look at are the context and global variables, like I was referring to earlier, just checking out configuration stuff, the current request object, session object, et cetera. So config should be what we're looking for. If we actually take advantage of that, that is just a global or something you can work with in Flask. And that actually keeps track of your secret key, which is a variable that should be kept secret, right? Or really kind of protected because that's how cookies are going to be generated or sessions are going to be protected. So that secret key is very, very important to safeguard. But we can leak it out, right? Now that we're actually seeing that entire config object, all of those variables and properties are being returned back at us. And if you kind of look through this, you can see, oh, hey, there's the secret key, and it's set to pico-ctf, secret keys to the kingdom and a specific hash for our user account. So that's that. That is how we can go ahead and get the flag in this. And it's taking advantage of this Flask server-side template injection vulnerability. So very, very cool. Hope you guys enjoyed this one. I think honestly, that's one of my favorite things. And whenever you see a Flask application as part of the CTF challenge, that should be one of the first things you should go to. One of the first things you should try is just those curly braces, curly braces, see if you can get some math working, see if you can leak out the config variables or anything else that might be privy to that application. Thank you guys so much for watching. Before I go, I want to give a quick shout out to the people that support me on Patreon. Thank you guys again and again and again. I don't know how many videos I have now, just me saying the same nonsense stuff. But I can't, it's never enough. Just thank you for everything that you're willing to do. Just your support and generosity and donations are so heartwarming to me. And it's surreal in my eyes. A stupid kid, right? Just a little, like out of college idiot can be putting this crap on the internet and you people are grateful for it. So thank you. I'm grateful for you. One dollar a month on Patreon will just give you a special shout out just like this at the end of every month. I know it's not a whole lot, but maybe it's that warm fuzzy feeling that, hey, I'm helping out a dude, a little good Samaritan, feel good like warm fuzzies. Maybe that's nice and thank you. Thank you for your generation. Thank you for your donation generosity. Generous donation, also known as generation when I slur my words. Five dollars a month or more on Patreon will give you early access to everything that I release on YouTube before it goes live. Because I like to try and backlog some of my video recording and get a lot prepared, released in overtime, right? If I have like five videos, maybe that'll take five days to release in one a day. Because I'll have YouTube schedule the releases and uploads. If you want the content right when it's ready, right when I have it recorded, I share it in a Google Drive that you can have access to for five dollars a month. And I am so grateful for your support and donation. If you did like this video, please do like, comment and subscribe. Join our Discord server link in the description. It is a awesome community full of CTA players, programmers and hackers. Super duper shout out. Hang on to Sinister Matrix, Cave Venom 1 and Void Update. You guys have stepped up to the role of being moderators and I am incredibly thankful for that. I've been owing you a shout out and some love for way too long. I don't know how long ago now it's been that you guys kind of step into that role, but it takes the weight off my shoulders so much, like exponentially so. Because I don't always have the time during the day and I'm just really grateful that you guys are helping police and, I don't know, just represent, you know? R-E-P, rep, stuff. I gotta end this video. I'm talking too long. Thank you guys for watching. I love you. Hope to see you in the next video. Take it easy.