Gunship

Gunship is the first web challenge of the HTB x UNI 2020 CTF, we are given a webpage titled "AST Injection" and containing an input form which sends a JSON object to the server.

In the source code we find that Handlebars is used for templates, and there is a mention to AST Injection by po6ix. Using google we can find an article which explains methods for AST Injection and Prototype pollution on two templating frameworks, Handlebars and Pug.

https://blog.p6.is/AST-Injection/#Handlebars

We can copy the handlebars exploit example and modify it slightly to pass the artist.name check and have handlebars compile the template, then send this to the server using burp.

Our reverse shell is executed and we can print the flag

HTB{wh3n_l1f3_g1v3s_y0u_p6_st4rt_p0llut1ng_w1th_styl3}