We end up on this page
If we enter {{ we get an exception
{{
Let's find out which template it uses using James Kettle tree (see more details about this herearrow-up-right)
This one {{7*7}} evaluates
{{7*7}}
However this {{7*'7'}} seems to reveal that some char are filtered
{{7*'7'}}
If we use double quotes instead it works {{7*"7"}}
{{7*"7"}}
According to the tree it can be Jinja2 or Twig
As we have a header leaking the Python version, the template should be Jinja2 as it is based on python
let's try to find the config {{config}}
{{config}}
We get the flag here but it seems encoded. If we use burpsuite and decode it as ASCII hex, we get the flag!
Last updated 2 years ago
