$ cat writeup.md…
$ cat writeup.md…
duckerz
Task: Telegram Mini App (Tinder-style) with Flask/Jinja2 backend, user profile cards rendered server-side. Solution: SSTI via Telegram first_name field - changed name to Jinja2 payload, Telegram signed it in initData, server rendered it without escaping, leaked FLAG from environment variables.
Permission denied (requires tier.pro)
Sign in with GitHub, Discord, or Google to continue. No email required.
$sign in$ grep --similar