hexionCTF 2020 Web Exploitation


Taking a look at the website, it seems simple enough. You type in text, hit the “Create” button, and it renders the text below. Let’s probe for Flask injection:

A standard Flask injection that has the bonus of telling us if it is Jinja or not.
After pressing Create.

Interesting. At first glance it may look as if Flask injection won’t get anywhere. But as with any web challenge, we should look at the source, and in this case, what “Create” is doing:

As if one hint wasn’t enough, a very obvious “DEPRECATED” script stands below.

/notes? Let’s check it out.

So we can see that Flask injection works after all. Since we are given that the flag is at /flag, we start probing for a File class of sorts. (see captions for injections)


No File class that I can see, but this os._wrap_close seems more interesting, since we might be able to access methods from the os module. Let’s look inside:


There are probably several ways to go from here, but one way is to use the popen method to cat the flag.

{{config.__class__.__mro__[2].__subclasses__()[117].__init__.__globals__[‘popen’](‘cat flag’).read()}}

And there it is.

Leave a Reply

Your email address will not be published. Required fields are marked *