$ cat writeup.md…
$ cat writeup.md…
hackthebox
Task: Flask app with SQLite SQLAlchemy, RS256 JWT via PyJWKClient, Chameleon page templates, and an admin bot. Solution: chain SQLi (UNION dump of admin row) + path-traversal arbitrary file write to overwrite the server JWKS, forge an admin JWT, then Chameleon SSTI with a chr()/getattr() char-filter bypass to read /flag.txt.
Permission denied (requires tier.pro)
Sign in with GitHub, Discord, or Google to continue. No email required.
$sign in$ grep --similar