Overview
Jinjacare is a web application designed to help citizens manage and access their COVID-19 vaccination records. The platform allows users to store their vaccination history and generate digital certificates. They've asked you to hunt for any potential security issues in their application and retrieve the flag stored in their site.
📝 Related Bug Bounty Reports
First Look
The hints are a huge help, knowing that we are dealing with an ssti in jinja takes care of a lot of work for us. Since we know we are working with jinja I started injecting the 7*7 payload during registration and see what kind of field could be used in the templating.
Looking around the app we see that we can also download our vaccine passport. Once downloaded we see that there is indeed a ssti as our name field is showing 49.
Leveraging our SSTI
From there we try a couple payload for RCE but nothing worked at first, so we list all the objects we have access to.
We access the "warnings.catch_warnings" class to reach the import function and from there we can import any library we want.
I imported the os library which gave me RCE on the server and used it to find the flag at the root of the system!
{{ dict.__base__.__subclasses__()[378].__init__.__globals__['__builtins__']['__import__']('os').popen('cat /flag.txt').read() }}