Writeup for Obligatory (Web) - Nahamcon CTF (2023) 💜
Video Walkthrough
Description
Every Capture the Flag competition has to have an obligatory to-do list application, right???
Solution
Register account and try some payloads (XSS, SSTI, SQLi) but the notes all render as text without issues.
However, when a task is created there's a GET parameter success, that's set to Task created.
When changing the value to an SSTI polyglot, ${{<%[%'"}}%\, we get an error message.
HACKER DETECTED!!!!The folowing are not allowed: [ {{\s*config\s*}},.*class.*,.*mro.*,.*import.*,.*builtins.*,.*popen.*,.*system.*,.*eval.*,.*exec.*,.*\..*,.*\[.*,.*\].*,.*\_\_.* ]