webmedium

Guild

hackthebox

Task: Exploit a Flask app with multiple SSTI injection points, EXIF metadata processing, and predictable password reset tokens. Solution: Leak admin email via filtered bio SSTI using User ORM object in template context, reset admin password using sha256(email) token, then exploit unfiltered SSTI in EXIF Artist tag using lipsum.__globals__ to read the flag file.

$ ls tags/ techniques/
flaskfilter_bypasssstijinja2password_resetexif
ssti_exif_injectionpredictable_tokenorm_query_injectionlipsum_globals
🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]