The devil is enticing us to commit some sandboxed SSTI feng shui, would you be interested in doing so?
Solver: davex, shm0sby
The task was very simple. We had the source code of the challenge and we knew there was
/flag which might contain our flag. ;)
The challenge used Symfony as application framework and Twig as templating engine.
We simply had to use basic injection on Twig which could be found in .
After entering that into the input field on the home page, we saw the flag.