SSTI1 picoCTF 2025 Solution

Description

1. Step 1Pop a shell via cycler
   Jinja exposes the cycler helper, whose __init__.__globals__ dictionary contains the os module. Calling os.popen lets you run arbitrary commands from a template payload.
   bash

   {{ cycler.__init__.__globals__.os.popen('ls -la').read() }}

   Copied!
   Learn more

   Server-Side Template Injection (SSTI) occurs when user input is embedded directly into a template string that is then rendered by a server-side template engine. Unlike reflected XSS (which runs in the victim's browser), SSTI runs on the server with the application's privileges, making it far more dangerous. The canonical test payload is {{7*7}}: if the server responds with 49 instead of the literal string {{7*7}}, template injection is confirmed.

   Jinja2, Flask's default template engine, exposes a global namespace containing Python builtins and context objects. The cycler object (a Jinja2 utility for cycling through values) is always available in the template context. Its __init__ method is a Python function, and all Python functions carry a __globals__ attribute pointing to the module's global namespace. If the os module was imported anywhere in the application, it appears in this dictionary, accessible via template syntax without any import statement in the payload itself.

   SSTI is ranked in the OWASP Top 10 under Injection and has led to complete server compromise in real-world incidents. Affected template engines include Jinja2, Twig (PHP), FreeMarker (Java), Pebble (Java), Velocity (Java), and others. The payload chain differs per engine, which is why identification (what engine is running?) precedes exploitation in a real engagement. Web challenges and real-world bug patterns covers SSTI alongside the other Top-10 classes.

   This payload works here because the SSTI1 endpoint applies no character filter; the underscores, dots, and the literal word cycler all pass through. SSTI2 is the same vulnerability with a keyword blacklist bolted on, which forces the same gadget to be expressed without underscores or the cycler identifier and is why the next challenge feels like a different bug.

2. Step 2Read the flag file
   Listing the directory reveals the flag file. Replace the command string with cat flag (or use curl to POST the payload) and the response contains the picoCTF flag.
   bash

   {{ cycler.__init__.__globals__.os.popen('cat flag').read() }}

   Copied!

   bash

   curl -L -X POST -d "content={{ cycler.__init__.__globals__.os.popen('cat flag').read() }}" http://rescued-float.picoctf.net:52534/

   Copied!
   Learn more

   os.popen() opens a pipe to a shell command and returns a file-like object whose .read() method captures standard output. subprocess.run(..., capture_output=True) reaches the same outcome but is the modern, safer interface (explicit argument lists, better error handling, no implicit shell). The two are not interchangeable in production code; popen is the legacy, one-liner-friendly form, while subprocess is what you should reach for in a real codebase. For SSTI specifically, popen is the better tool because it fits inline as a single chained expression with no imports beyond os.

   From a defensive standpoint, the root fix is trivially simple: never pass user input directly to a template renderer. Instead, pass data as template variables using the context dictionary, e.g. render_template('page.html', content=user_input), and reference it as {{ content }} in the template file. Jinja2 automatically HTML-escapes variables rendered this way, preventing both SSTI and XSS. The vulnerability only exists when code uses render_template_string(user_input) or jinja2.Environment().from_string(user_input) directly.

   If template rendering of user content is genuinely required (e.g., a CMS allowing template-like syntax), the mitigation is to use a sandboxed environment: jinja2.sandbox.SandboxedEnvironment() blocks access to private attributes (__init__, __globals__) and disallows calling arbitrary Python functions. Treat this as a speed bump rather than a wall: published sandbox escapes exist for most template engines, attribute filters can be bypassed with |attr() + dynamic strings, and any object exposed to the template that holds a reference to a function carrying __globals__ is potentially a gadget. Sandboxing raises the exploitation bar; it does not eliminate the vulnerability class.

3. Step 3Optional: script the extraction
   Pipe the HTML through grep/cut if you want a clean output from the command line.
   bash

   curl -L -X POST -d "content={{ cycler.__init__.__globals__.os.popen('cat flag').read() }}" http://rescued-float.picoctf.net:52534/ | grep -E "picoCTF\{.*\}"

   Copied!
   Learn more

   Chaining curl with text processing tools like grep, cut, and sed is a quick way to automate flag extraction without writing a full Python script. The -E flag enables extended regular expressions in grep, and picoCTF\{.*\} matches the flag pattern. This approach works well for one-off extractions but breaks if the flag contains characters that have special regex meaning.

   For more robust automation, pwntools (via from pwn import *) provides HTTP request helpers alongside its binary exploitation capabilities. For web-only challenges, requests (Python) or httpx offer clean APIs for building and sending POST requests, parsing JSON responses, and following redirects, making them ideal for multi-step web exploits that require maintaining session state across requests.

   Scripting the exploit also makes it reproducible: if the challenge instance resets or you want to demonstrate the vulnerability to others, a self-contained script is far more reliable than manual browser interactions. Good CTF habit is to save every working exploit script in your notes alongside the flag.

Flag

The payload chain works in-browser or via curl; both outputs include the full flag inside the rendered HTML.