It could well be a rabbit hole. Right now I have no way to tell.
However it is a lab on Jinja2 exploitation so I think XSS isn’t really part of the lab builders plans.
I have space for 41 characters between the {{ and }} markers, so my options are limited.
I’d like to do an os.popen('id').read()
at the very least but (
and )
are blocked so that doesn’t work. Sending a referer with variations of the (
id).read()
string didn’t work.
Using __getchilditem__
syntax makes some progress but quickly runs out of space.