The chall is shown above...

At the first glance, it looks like a SQL injection? PS: a lot of people were indeed using sqlmap and it caused the chall unavailble.... Despite the rule clearly said there was no need to use enerumation/autoexploit tools .

So i was tampering with the user and password form. and for whatever I put in the User Password field, the response are always the same.

So, I was bit confused as this I thought at first was indeed a SQL injection, but if took a look at the source code of how my request was sent

It is just sending a post request with my input username,password to the /login ?

Hmmmmm, So I was trying to find other interesting/well-known like robots.txt ,

Now, here comes the interesting part! The response page simply reflected the filename of the file that we requested on the html page? This instantly rings a bell for me for SSTI.

Essentially, the website is Rendered using a template framwork such as Jinja. Twig, etc....

And the rest is history....

swisskyrepo/PayloadsAllTheThings

A quick spoof of {{7*7}} showed that the engine that was using to render HTML page was Python-Syntax expression.

So, let's find how we can achieve RCE via jinja/python modules.

http://dctf1-chall-injection.westeurope.azurecontainer.io:8080/{{''.__class__.mro()[1].__subclasses__()[-64]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}