# Business CTF 2022: H2 Request Smuggling and SSTI – Phishtale
In the world of cybersecurity, challenges like **CTFs (Capture The Flag)** provide a unique opportunity for enthusiasts to test their skills and learn new techniques. One such challenge from the **Business CTF 2022** was titled **Phishtale**, which focused on **H2 Request Smuggling** and **Server-Side Template Injection (SSTI)**. In this post, we will explore the creator’s perspective, the motives behind the challenge, and a detailed write-up of the Phishtale web challenge.
## Understanding the Challenge
The Phishtale challenge was designed to test participants’ abilities to identify and exploit vulnerabilities in web applications. The creator aimed to provide a realistic scenario that mimics real-world attacks, allowing participants to think critically and creatively.
### What is H2 Request Smuggling?
**H2 Request Smuggling** is a technique that takes advantage of the way HTTP/2 handles requests. By manipulating the way requests are sent to a server, attackers can smuggle malicious requests that can bypass security measures. This can lead to unauthorized access or data leakage, making it a critical area for security professionals to understand.
### What is SSTI?
**Server-Side Template Injection (SSTI)** is another vulnerability that can be exploited in web applications. It occurs when user input is improperly handled in server-side templates, allowing attackers to execute arbitrary code on the server. This can lead to severe consequences, including data breaches and system compromise.
## The Creator’s Perspective
The creator of the Phishtale challenge wanted to highlight the importance of understanding these vulnerabilities. By crafting a challenge that required participants to think outside the box, they aimed to foster a deeper understanding of web security. The challenge not only tested technical skills but also encouraged participants to consider the broader implications of their actions in the cybersecurity landscape.
## Challenge Motives
The motives behind creating such challenges are multifaceted. They serve to:
– **Educate**: Provide learning opportunities for participants to enhance their skills.
– **Engage**: Foster a sense of community among cybersecurity enthusiasts.
– **Raise Awareness**: Highlight the importance of web security and the potential risks associated with vulnerabilities.
## Conclusion
The Phishtale challenge from Business CTF 2022 was an excellent opportunity for participants to dive into the complexities of H2 Request Smuggling and SSTI. By understanding these vulnerabilities, cybersecurity professionals can better protect systems and data from potential threats.
For those interested in a more in-depth exploration of the Phishtale challenge, I encourage you to check out the detailed write-up available at the following link: [Business CTF 2022: Phishtale Write-Up](https://www.hackthebox.com/blog/business-ctf-2022-phishtale-writeup).
Stay curious and keep learning!
stop
