image.png

Want to run this Docker container locally?

docker run -d -p 9004:5000 --name flag_j --restart always joshbeck2024/ctf-flask-ssti-flag-j

IP Address: 172.25.200.200

Port: 9004

Python ‘Flask’ web servers are commonly deployed and often times contain SSTI (Server Side Template Injection) vulnerabilities. Solving this challenge is one thing, but I think building a working Flask website at least once is a good thing to do.

If you are interested, here is a good tutorial. (Click Here)

The Flask framework is designed to integrate HTML and Python to provide interactive content.

The key concept here is that when a user requests a webpage, the web server dynamically generates the .html file. A search for ‘Flask Website Example Github’ will turn up lots of examples. Here’s a simple one:

Untitled

As you can see above, the {{ note.data }} is a variable. This variable will be replaced with database information if all goes well.

The trick here is that Flask websites sometimes allow users to use this {{ }} syntax. If we can get a Flask web server to recognize this as a command block, it will execute the logic we place between curly braces like this.

If you are on a bug bounty hunt and suspect you are dealing with a Flask site, an easy test to perform early is this: enter {{ 7 * 7 }} into fields you think Flask might handle. (This is a simple math equation.) If the web server returns 49, we have a point of entry.

Let’s do that:

<http://172.25.200.200:9004>

image.png

This will return: