The devil is enticing us to commit some sandboxed SSTI feng shui, would you be interested in doing so?

Category: web

Solver: davex, shm0sby

Flag: HTB{b3nt_tw1g_t0_my_will!}


The task was very simple. We had the source code of the challenge and we knew there was /flag which might contain our flag. ;)

The challenge used Symfony as application framework and Twig as templating engine.

We simply had to use basic injection on Twig which could be found in [1].

After entering that into the input field on the home page, we saw the flag.



Other resources

[1] Side Template Injection#twig