$ cat writeup.md…
$ cat writeup.md…
hackadvisor
Task: MailPulse email marketing platform (Flask/Jinja2) with campaign template preview endpoint that passes user input to render_template_string() without sandboxing. Solution: Inject {{lipsum.__globals__['os'].popen('cat /root/flag.txt').read()}} via body_html field in POST /campaigns/0/preview to achieve RCE and read the flag.
Permission denied (requires tier.pro)
Sign in with GitHub, Discord, or Google to continue. No email required.
$sign in$ grep --similar