Category: Web

Points: 100

Description:

SaaS

app.py:

from flask import Flask, render_template, request
import html
import os

app = Flask(__name__)

@app.route('/')
def index():
    return render_template('index.html')

blacklist = ["flag", "cat", "|", "&", ";", "`", "$"]

@app.route('/backend')
def backend():
    for word in blacklist:
        if word in request.args['query']:
            return "Stop hacking.\n"
    return html.escape(os.popen(f"sed {request.args['query']} stuff.txt").read())

From reading the source code we can see that we can't use command injection. But we can add all the file to sed with a simple payload '' * where * means to include all the files the directory.

And then searching of "ictf" in browser we can find the flag.

SaaS 1

flag:

ictf{:roocu:roocu:roocu:roocu:roocu:roocursion:rsion:rsion:rsion:rsion:rsion:_473fc2d1}