Templated
1 minute to read
We are given a website built with Flask:
If we try a random route, it is reflected in the HTML document:
So, if might be probably vulnerable to a Server-Side Template Injection (SSTI). Let’s try with {{7*7}}
:
And indeed it is vulnerable, because we see 49
. Now, we can go to PayloadsAllTheThings and use another SSTI payload to obtain Remote Code Execution (RCE) on the server:
And finally, we get the flag (HTB{t3mpl4t3s_4r3_m0r3_p0w3rfu1_th4n_u_th1nk!}
):