Ssti

PicoCTF Writeup – Server-Side Template Injection (SSTI) Recently, I played around with a PicoCTF challenge 492. The challenge looked like a simple web app that lets you “announce whatever you want.” Naturally, I fired up my terminal and started poking at it with curl. By the way, we can also visit the website and experiment with the form instead. curl -X GET http://rescued-float.picoctf.net:49878/announce -i Response: HTTP/1.1 405 METHOD NOT ALLOWED Allow: POST, OPTIONS Looks like only POST is allowed, so I retried with: ...