Official Templated Discussion

Oussmak · February 8, 2021, 9:06pm

Type your comment> @1z3n said:

when i run whoami it returns as root. i was trying to get a reverse shell. Lol. got the flag it was easy.

Did you actually get a shell ? i was pocking around for a bit but no luck

hydr8 · May 17, 2021, 12:33am

Holy Moly, i was out of CTF’ing and IT-Sec for almost 10 years. Decided to give it another try with 30+ and started with this Challenge. Tooked me round about 3 hours, but I enjoyed every minute of it. The reading and the small steps to make it to the next success, digging deeper until u almost can smell the flag.

Red a lot of different guides and articles to this topic, there isn’t a straight forward one but with putting the mosaics together its doable even if u never heard of that type of vuln before.

Great challenge!
Also feel free to write a PM for hints

pcap · November 27, 2021, 1:32am

That was fun.

Dolly135 · March 11, 2022, 7:14am

I dont get it. I looked up the “flask/jinja2” thing and I know its a framework. But Im not quite sure how Im supposed to turn this into an exploit.

willianrsouza · March 14, 2022, 4:00am

eu can help me ? please!!!

CLAR · July 7, 2022, 7:33pm

Completed it, was not as simple as I initially thought, but learnt a lot. I think this is a nice box to get back into cyber security. I don’t think I need to offer a hint as the hints in this thread are more then enough. Just need to read this thread and think “I wonder what Google can say about this”.

es3tag · September 30, 2022, 11:38am

took time to understand but finally got the flag.

Morpheus21 · October 7, 2022, 5:45am

Burp is your best friend for this!

gagen · October 23, 2022, 2:38pm

Is there a fake flag in this challenge? I was able to get a flag from a .txt file but it says the flag is incorrect

TheNodster666 · November 4, 2022, 11:18am

Hi All

I’m new to this sort of thing. I have found what the vulnerability is, and kind of know what I need to do. However when I amend the URL, I get nothing to show its done anything. even a simple 7*7 doesn’t give me a response.

Not sure where to go with this

Actually, I sorted it. Once I got the syntax correct, I got it working

lxuxer · November 12, 2022, 11:30am

I’m not sure if I have to upload two flags. I have obtained one and it gives me valid and automatically disconnects me from the machine and I get the completed sign. Will we have to find some other root flag for example?

MartianGhost · December 15, 2022, 3:45pm

The title is a big hint for the kind of exploitation that you need to use. Once you find it, you can use it to access the flag.

bryan · January 25, 2023, 11:00pm

It was not easy to do this challenge, it is difficult to understand the injections and apart from that you have to know very well which injection to execute

but it was fun, if you need help you can write to my discord:Bryan_2555#9878

Paradise_R · January 26, 2023, 7:52am

Didn’t know this thread was still alive
Templated was my first completed challenge, at that time, it was pretty confusing to understand what was happening, but some days later I created something I called “makeshift webshell” to execute code through my terminal and get the flag again in 30 seconds

Surely a really fun challenge, a good one to start and great way to understand how webhacking works
As I’m determined to start interacting with the community, you can surely send me a message

R