Rating: 3.0
# web flask SSTI
![image](https://user-images.githubusercontent.com/65381453/131301407-7d751004-0975-43cb-a11a-b69bbe120ab6.png)
# recon
![image](https://user-images.githubusercontent.com/65381453/131301965-22beafdc-2ec2-440c-ac01-0c186ad89e59.png)
the function of this site is base64 decode the inserted value to the actual value
nothing else and i think it's SSTI
# quất
![image](https://user-images.githubusercontent.com/65381453/131304776-ffb1a317-2085-4ea7-a957-b7021084df31.png)
and decode
oke ! next i find payload in here
and result :
# FIND Flag
```
Note: Flag is located in etc directory
```
## LS /etc
![image](https://user-images.githubusercontent.com/65381453/131305803-1dd39ce3-2fdd-477f-a46f-ca83dddbd305.png)
result: found flag.txt
## cat flag.txt
![image](https://user-images.githubusercontent.com/65381453/131306272-6b332ff7-bd0f-485c-95c5-8e110ba590e3.png)
result:
Congratulation for my team AUZ1 , we are new team without exp