Hack. Sleep. Repeat

View on GitHub


Just a simple Server Side Template Injection (SSTI) .

On the web page i think we have all the hint we can ask for we already know it Proudly powered by Flask/Jinja2 so let try to confirm it.

image$ we get 404 not found but our input reflect let try injecting another command.

image${ Boom again let find the crash point.


Boom a crash point$ image


Boom we are the root user cool let list directory.


image image

We can see the flag.txt let cat it and we are done. image

Nah not going to show you the flag get it yourself lol.

Greeting From Muzec

Back To Home