> ###### The attempted attempt to tempt the untempted into a tempting but contemptible scheme was an untempting temptation that exemplified not only contempt but also a preemptive exemption from any redemptive attempts.
>
> ###### Author: @gehaxelt

Write-up author: twenty5

### Explanation

Screenshots (https://imgur.com/a/VdhVCiX)

The name and the description gave me a hint that it might be an SSTI (**Server-Side Template Injection**).
So the challenge consists of a simple web page with a submission form.


When I you try to submit anything it just returns Too Tempted!


Then I checked the page's html code. There was a comment with a url parameter that allows to fetch the source code of the webpage.


In the source code it became obvious that it's an SSTI because the user input is passed to the template engine without any sanitization (highlighted in red).


Then I've googled the webpy's documentation and there was a block about builtins and globals. I was trying to figure out what functions were available and went to webpy's github repository.


Looking through the template.py code (https://github.com/webpy/webpy/blob/master/web/template.py) I've found TEMPLATE_BUILTIN_NAMES and there was a builtin import function.


After that I was trying to figure out how to exploit it and came up with a payload that imports os module and calls the system function that runs a curl command sending a post request to my collaborator with the output of any command in the body.


The flag was in the /tmp folder (look at the source code of the chall), but it can't be read as /tmp/flag.txt because there's an if statement that checks for the word flag in the user input, so I used /tmp/\*.txt and encoded it with base64.


Then I checked the colaborator and there it was!

Flag: **ENO{T3M_Pl4T_3s_4r3_s3cUre!!}**