Tags: ssti jwt git aws 



- Port 80 exposed a `git` repository
- Downloading it revealed the AWS credentials and the use of lambda functions
- The lambda function contains code with a JWT secret
- You can forge the authentication cookie with the JWT secret to login into the port 5000 website
- There is a Server Side Template Injection in the `/order` endpoint which gives you a shell and therefore the flag

Full writeup: [https://radboudinstituteof.pwning.nl/posts/htbunictfquals2021/epsilon/](https://radboudinstituteof.pwning.nl/posts/htbunictfquals2021/epsilon/)

Original writeup (https://radboudinstituteof.pwning.nl/posts/htbunictfquals2021/epsilon/).