Rating:
Unintended:
- `.git` directory and source code are exposed on the webserver
- The flag is in the source code.
Intended:
- Create two user accounts - one of the usernames is a Server-Side Template Injection (SSTI) payload.
- Exploit SSTI in the SMS template to call the `add_money_to_login()` function and add money to the other account
- Buy the VIP number, and get the flag
[**Full Writeup**](https://ctf.zeyu2001.com/2021/yauzactf-2021/yauzabomber)