webPromedium
Lucky Ticket (Счастливый билет)
hackerlab
Task: Flask web app with lottery ticket validation form. Solution: Bypass input validation with newline character (%0a) to exploit SSTI in Jinja2, extract SECRET_KEY from config, forge admin session with flask-unsign.
$ ls tags/ techniques/
ssti_jinja2newline_injectionflask_session_forgerysecret_key_extraction
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Поздравительное приложение (Greeting App)— hackerlab
- [web][Pro]Состояние 0x7F— hackerlab
- [web][Pro]Конвертер (Converter)— hackerlab
- [pentest][Pro]Лотерея (Lottery)— hackerlab
- [web][Pro]В поисках капибары — Hackerlab— hackerlab