When Ian was a kid, he loved to play goofy Madlibs all day long. Now, he’s decided to write his own website to generate them!

When we checked the website, we see that we are expected to choose either The Tale of a Person or A Random Story as story. After we choose one of the stories we are asked some extra information. Next, we submit the query and get a templated story including the extra information we provided. However, there is a link to the application’s source code at the end of the story.

Here is the source code.

We can clearly see that the flag is stored in the variable app.secret_key. Since, the application printed out a story that contains the inputs I gave, I decided to check the code that handles the output result.

When we post our inputs, this code handles them and renders the template. The try-except part got my attention at first sight. It calls render_template_string with a string which includes the Author Name input that we submitted. I decided to do some research if there exists known vulnerabilities for this function and found this. Then, I decided to check this Server-Side Template Injection (SSTI) vulnerability.

Let’s see what happens when we give {{ ‘x’*20 }} as Author Name.

Yes! It worked. Now, we need a payload which is less than or equal to 12 characters to retrieve the secret_key. Actually, app.secret_key is the value for SECRET_KEY configuration key. Let’s dump the config object with {{ config }} payload.

Here we got the flag actf{wow_ur_a_jinja_ninja}.