baby ninja jinja

Hope you guys enjoy the challenge, I’ve started a discussion since I didn’t see one yet.

SSTI?

How do you scan a Docker? Like we do wpscan?

another one of those challenges where i feel like the solution should be relatively simple and quick, but in the end it takes me hours and a convoluted payload :stuck_out_tongue:

had a lot of fun though and i learned a trick or two

I used a technique from interdimensional internet to exfiltrate the data (the right one, not the slow one), but I have a gut feeling that there is a better way

Type your comment> @joeblogg801 said:

I used a technique from interdimensional internet to exfiltrate the data (the right one, not the slow one), but I have a gut feeling that there is a better way

i did the same thing, only better way would be to set the l***** s****** c***** and at that point you might as well just not ¯\(ツ)
hmu if you wanna exchange payloads :stuck_out_tongue:

I think there are multiple way to solve it, in my case I wrote data in i****.****

Wow this was harder than expected.

The console doesn’t work at all for me… i’m not talking about the PIN. Is this a rabbit-hole ?

Could you share your hints please? Is the “story” relevant? Where should we dig deeper? Is d—g or c-----e the way to go? S–i? etc. Thanks!

Can anyone please help me how to get start with this?

Can anyone help. Stuck much time

Wow. I learned a lot about how jinja can be exploited. Should be marked as a hard challenge though.
Trying not to spoil to give you some hints:

  • lots of info on google about typical jinja attack
  • bypass
  • what can you control when you’re in the dark and hungry?

needed a little push but that was a great challenge! the best I’ve played so far.

I’m stuck at one of the bypasses. Can anyone drop me a hint via DM?
Thanks!!! T_T

That was quite hard and lots of fun!!! I wasn’t able to bypass the filters and this made getting the response a bit harder, DM me if you could and we can exchange payloads. I’m glad I didn’t have to sleep for days without the flag. Kudos @makelaris

Can I get a small nudge on this ? I bypassed everything (saw the db as well) but I’m not sure where the flag is. Am I supposed to use imports ? Would appreciate any nudge in a DM

Edit: Got it, nevermind

I am not able to bypass the filter, can anyone help ?

Didn’t sleep tonight, but I did. Very nice challenge!

Is there supposed to be a cookie? One isn’t being set, and if I just make my own, nothing happens