rootđź’€senseicat:~#
Hack. Eat. Sleep. Repeat!!!
Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham
CTF-: PwnMe2025
Challenges
- Web
- Profile-Editor
Profile Editor
- Vulnerable source code-:
@app.route('/profile', methods=['GET', 'POST'])
def profile():
if not session.get('username'):
return redirect('/login')
profiles_file = 'profile/' + session.get('username')
profiles_file = profiles_file if profiles_file.endswith('.html') else profiles_file + '.html'
if commonpath((app.root_path, abspath(profiles_file))) != app.root_path:
return render_template('error.html', msg='Error processing profile file!', return_to='/profile')
if request.method == 'POST':
with open(profiles_file, 'w') as f:
f.write(request.form.get('profile'))
return redirect('/profile')
profile=''
if exists(profiles_file):
with open(profiles_file, 'r') as f:
profile = f.read()
return render_template('profile.html', username=session.get('username'), profile=profile)
@app.route('/show_profile', methods=['GET', 'POST'])
def show_profile():
if not session.get('username'):
return redirect('/login')
profiles_file = 'profile/' + session.get('username')
if commonpath((app.root_path, abspath(profiles_file))) != app.root_path:
return render_template('error.html', msg='Error processing profile file!', return_to='/profile')
profile = ''
if exists(profiles_file):
with open(profiles_file, 'r') as f:
profile = f.read()
return render_template('show_profile.html', username=session.get('username'), profile=profile)
Explanation-:
- The chain for exploitation is
Arbitrary file write and read to Remote Code Execution.The code picks the username and use it to create an html file which we can see as ajinja template.The username query is not filtered which allows us to control the path and rewrite other files e.g templates in thetemplatesdirectory.The mode of exploitation revoles around “controlling the path to one of the templates with the username e.g../templates/error.htmlwhich will be read,later we can inject the template with code likeconfig.__init.\_\_globals\_\_.os.popen('ls').read().
profiles_file = 'profile/' + session.get('username')
profiles_file = profiles_file if profiles_file.endswith('.html') else profiles_file + '.html'
if commonpath((app.root_path, abspath(profiles_file))) != app.root_path:
return render_template('error.html', msg='Error processing profile file!', return_to='/profile')
if request.method == 'POST':
with open(profiles_file, 'w') as f:
f.write(request.form.get('profile'))
return redirect('/profile')
profile=''
if exists(profiles_file):
with open(profiles_file, 'r') as f:
profile = f.read()
- This vulnerable can only be exploited if the templates get reloaded which is set to
Trueas seen in the code.
app.config['TEMPLATES_AUTO_RELOAD'] = True
Exploiting it
- Create an account with username
../templates/error.html
- We have write access to the file,I update the template with the code shown in the image.
- In order to get the flag,we need to find a way to trigger
error.html.I was able to trigger it by registering an already registered user.Code-:
@app.route('/register', methods=['GET', 'POST'])
def register():
if request.method == 'POST':
username = request.form.get('username')
if username in users:
return render_template('error.html', msg='Username already taken!', return_to='/register') ### Template gets triggered here
- Flag-:
PWNME{afb7daa3a595522882f6a9efae30c4ec}