BackdoorCTF - web - 100

In this problem, the challenge text just provided us a URL to the page,, which linked us to the source code on github.

        <title>Underscore Template Tester</title>
        <style rel="stylesheet" type="text/cs" href="//"></style>
        <h1>Underscore Template Tester</h1>
        <form action="/templatize" method="POST">
            <p>This app takes in JSON data and a template and mashes them together using underscore.js</p>
            <textarea name="json" rows="10" cols="30" placeholder="Enter JSON data">{"package":"underscore_test","version": "2.9.12"}</textarea>
            <textarea name="template" rows="10" cols="30" placeholder="Enter your template here">The name of the package is <%=package%> and its version is <%=version%></textarea>
            <input type="submit" value="Convert!">
        <p>Source code for this is available at</p>

Querying the server, it behaves pretty much as expected...

The name of the package is underscore_test and its version is 2.9.12

Going back to the source code reveals a very interesting line in app.js though:

// development only
if ('development' == app.get('env')) {
  console.error("No flag in environment");

So... the flag is stored in the environment on the server. Well, we have limited code execution - lets try to expose it!


Flag: 16367694ede9faef0efec36845e18ceb

- Kelson (