Welcome to first write up from the Angstrom CTF, in which we’re going to focus on web security.

• Category: Web
• Points: 120

### Solution

We’re presented with the website generating Madlibs stories, getting them from the user input. If you don’t know what Madlibs is take a look here, but it won’t be needed in order to solve the challenge.

As you can see, together with the interface we get a source code of this application, which is written in Flask.

We can see the whole logic of written application, but is there something we can exploit? Let’s focus on the user input, and specifically authorName variable that is used to store our name and print it inthe comment.

Firstly, we can see that it’s being limited to only 12 characters, which we can easiliy check.

With author name 123456789abcd, which is 13 characters, only first 12 123456789abc will be printed. That’s the first obstacle we have to keep in mind.

After that we’re getting to creating the comment with this line of code.

Firstly, we have to think about render_template_string() function. Quick google will tell us, that it’s used in order to work with templates, that will look just like in this example. Further analysis of this code doesn’t provide us with any new, or more useful information so let’s stick to what we have already.

Part of the job of every person is IT is to learn how to google efficiently in order to look for information. That’s what I did this time, googled flask template vulnerability and look what we have in this link, which showed as the first one in this search engine.

In addition we get very interesting whitepaper, I advice everyone to read it. But back to the challenge. In quick words, we’re able to inject Python code into the template, which will be then executed. Simple test works by putting the input {{7 * 7}} in our author name input.

Great, it works! But how do we get the secret that is stored at app.secret_key = open("flag.txt").read() variable. As it’s name is to long in order to work correctly, we’ll have to find a workaround. Luckily, there’s a config that stores the configuration of our application. Let’s take a look at it with {{config}}. And ladies and gentlemen, here we have the config.

Spot the flag and here you go.

Keep learning and stay safe! ~ W3ndige