### TL;DR
Slippy was the easy-rated web challenge that involved a pretty sparse web app. After an initial code review, we’ll take the name as a clue and do some research into the “Zip Slip” archetype of vulnerability. Knowing that the Flask app is in debug mode, we can leverage the “zip slip” vulnerability to overwrite routes.py to include our SSTI vulnerability, which we can use to get RCE and grab the flag. Full details in the link.

Original writeup (https://an00brektn.github.io/uni-ctf-slippy/).