webmedium

RiceMatch

duckerz

Task: Telegram Mini App (Tinder-style) with Flask/Jinja2 backend, user profile cards rendered server-side. Solution: SSTI via Telegram first_name field - changed name to Jinja2 payload, Telegram signed it in initData, server rendered it without escaping, leaked FLAG from environment variables.

$ ls tags/ techniques/
flaskrcesstipythonjinja2telegram-bottelegram-mini-apptelegram-webappinitdata
ssti_jinja2lipsum_globals_rcetelegram_firstname_injectionrender_template_string_abuseenv_variable_leak
🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]