The devil is enticing us to commit some sandboxed SSTI feng shui, would you be interested in doing so?
Category: web
Solver: davex, shm0sby
Flag: HTB{b3nt_tw1g_t0_my_will!}
Writeup
The task was very simple. We had the source code of the challenge and we knew there was /flag which might contain our flag. ;)
The challenge used Symfony as application framework and Twig as templating engine.
We simply had to use basic injection on Twig which could be found in [1].
After entering that into the input field on the home page, we saw the flag.
{{['cat\x20/flag']|filter('system')}}
Other resources
[1] https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server Side Template Injection#twig