### Link to Challenge Website

[http://saas.chal.imaginaryctf.org](http://saas.chal.imaginaryctf.org)

-----

### Given Code (app.py)

```
from flask import Flask, render_template, request
import html
import os

app = Flask(__name__)

@app.route('/')
def index():
return render_template('index.html')

blacklist = ["flag", "cat", "|", "&", ";", "`", "$"]

@app.route('/backend')
def backend():
for word in blacklist:
if word in request.args['query']:
return "Stop hacking.\n"
return html.escape(os.popen(f"sed {request.args['query']} stuff.txt").read())
```

-----

### Summary

From reading the source code, we know we can't do command injection because of the blacklist.Sed command gives the original content of the file if the option is empty (ie '').We can't just send ('' flag.txt ) because **flag** is in blacklist.But we can use wildcard (*) to print out the flag.

-----

Solution Link [https://saas.chal.imaginaryctf.org/backend?query='' *](https://saas.chal.imaginaryctf.org/backend?query=%27%27+*)

-----

flag `ictf{:roocu:roocu:roocu:roocu:roocu:roocursion:rsion:rsion:rsion:rsion:rsion:_473fc2d1}`

Original writeup (https://github.com/MikelAcker/CTF_WRITEUPS_2021/tree/main/ImaginaryCTF_2021_Writeup/Web/SaaS).