# 2026 Vibe Predictor

> For the new year, we have a special lab with the hint ***Template Injection***

First thing I did was walking through the entire app, or questions in this case. I was fortunate enough to get a good prediction!

I noticed that my name was reflected at the end of the sequence. Normally I would test for ***XSS*** in such a case, but because the hint, I went to [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/Intruder/ssti.fuzz) and find some payloads. If a basic payload works, I can determine which templating engine is being used and then I can craft a payload with impact.

{% hint style="info" %}
Remember to try for ***SSTI*** if you have ***XXS*** but find no real impact.
{% endhint %}

The payload `<%= 7*7%>` gave 49 as result. This means that the engine is working and interprets the multiplication instead of the string. Because this payload works, I know that the engine used is ***EJS.***

<figure><img src="https://2622029278-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV7OebgUO4GDe408WfphF%2Fuploads%2FemcMhiveRnCdH8VlwkBC%2Fafbeelding.png?alt=media&#x26;token=ceb3e362-48be-4bba-bb94-1393dcec650b" alt=""><figcaption></figcaption></figure>

So now it was time to think about something with impact. If you have ***SSTI***  with ***EJS***, you can try to read a file. In this case, we're interested in `flag.txt` with this payload `<%= File.open('/flag.txt').read %>`I tried to fetch the flag, but was unsuccessful. I turned to ChatGPT to provide me with some payloads for ***EJS.*** I was given `<%= JSON.stringify(process.env) %>` . When asked for my name, I entered that payload.

<figure><img src="https://2622029278-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FV7OebgUO4GDe408WfphF%2Fuploads%2FDZNZJO5BcpVvk33F9hS6%2Fafbeelding.png?alt=media&#x26;token=20ca5205-24fc-4408-9ae2-34b31661b6bc" alt=""><figcaption></figcaption></figure>

And apparently, my name is flag 🇧🇪&#x20;