- `.git` directory and source code are exposed on the webserver
- The flag is in the source code.

- Create two user accounts - one of the usernames is a Server-Side Template Injection (SSTI) payload.
- Exploit SSTI in the SMS template to call the `add_money_to_login()` function and add money to the other account
- Buy the VIP number, and get the flag

[**Full Writeup**](https://ctf.zeyu2001.com/2021/yauzactf-2021/yauzabomber)

Original writeup (https://ctf.zeyu2001.com/2021/yauzactf-2021/yauzabomber).