July 13, 2023
Before we get started, I would like to express my sincere gratitude to the organizers of the Cyber Warzone CTF challenges, namely National Cyber Security Agency Malaysia (NACSA), Velum Labs, and WargamesMY.
In this blog, I will explain the process of solving the web challenge "I like to move it". This particular web challenge was created specifically for the CYDES CTF competition.
Here is the challenge file:
After extracting the archive, we only find app.py interesting:
At first glance, by reading the imported libraries and function names in app.py, there appear to be a few possible vulnerabilities in this particular challenge:
I will separate the source code into different parts to better explain them.
The / path is not vulnerable to SSTI: