$ cat writeup.md…
$ cat writeup.md…
hackadvisor
Task: Flask food delivery app with user registration; first_name field passed to Jinja2 render_template_string() unsandboxed on profile welcome banner. Solution: Registered user with {{lipsum.__globals__['os'].popen('cat /root/flag.txt').read()}} as first_name, visited /profile to trigger SSTI→RCE.
Permission denied (requires tier.pro)
Sign in with GitHub, Discord, or Google to continue. No email required.
$sign in$ grep --similar